r/CloudFlare: DNS mode - 526: Invalid SSL certificate (NOT USING PROXY MODE)

r/CloudFlare: DNS mode - 526: Invalid SSL certificate (NOT USING PROXY MODE)
💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/ydfezy/dns_mode_526_invalid_ssl_certificate_not_using/

Question

Hi,

As of today we are getting a ton of failed requests on a URL that is NOT going through CF, but is just using DNS mode (ie. NOT proxy). The endpoint has it's own ssl certificate (signed by our own CA), and has been working just fine until today when we just keep on getting "526: Invalid SSL certificate" responses, which include some CF specific html markup in the response bodies, which should not be happening as we are NOT proxying through CFs servers!

We are very confused why this is happening, and it's quite disruptive. Has anyone got any idea what could be causing this??

Answer

Did you try to delete and readd the specific DNS record, making sure its on DNS only? Maybe something got screwed up and CF thinks it should proxy it.