Error reference HTTP status

Error 526: Invalid SSL Certificate

Error 526 'Invalid SSL Certificate' means Cloudflare connected to the website's origin server but rejected the certificate it presented — expired, self-signed, mismatched, or untrusted. Nothing on your side is being validated, so nothing on your side can fix it. Here's how to verify the diagnosis, avoid chasing lookalike local errors, and schedule retries that match how these incidents actually resolve.

526 Invalid SSL Certificate

What error 526 means

HTTP 526 'Invalid SSL Certificate' is issued by Cloudflare when it connects to a website's origin server in Full (strict) SSL mode, completes the TLS handshake, and then rejects the certificate the origin presented. Validation fails for the usual reasons: the certificate is expired, self-signed, issued by an untrusted authority, missing an intermediate in its chain, or issued for a different hostname.

It's worth separating 526 from its neighbor 525. A 525 means the handshake itself broke; a 526 means the handshake worked mechanically but the certificate's contents failed inspection. Both point at the origin's TLS configuration, and neither involves your client, your certificates, or your proxy — the rendered Cloudflare page is confirmation your request arrived intact.

The most common real-world trigger is mundane: an origin certificate quietly expired because it sat behind Cloudflare where nobody looked at it directly. That also explains the typical resolution pattern — 526s often vanish within hours once the operator renews the certificate.

526 Invalid SSL Certificate

How to fix error 526

As a visitor or scraper you can't renew someone else's certificate, but you can verify the diagnosis, rule out local lookalikes, and schedule retries around the fact that expired-certificate incidents usually resolve quickly.

  1. Confirm the HTTP 526 status and Cloudflare error page. Your connection, proxy, and TLS stack all worked — the origin's certificate failed Cloudflare's validation.
  2. If your client raises CERTIFICATE_VERIFY_FAILED or curl: (60) with no status code, that's a local problem — an outdated CA bundle, TLS interception on your network, or clock skew — not a 526.
  3. Check your system clock when local certificate errors appear — clock skew makes valid certificates look expired, but only inside your own client.
  4. Retry on a slow schedule — every 15–30 minutes rather than every few seconds. Expired origin certificates are usually renewed within hours of being noticed.
  5. Test related hostnames on the same domain. Certificates often lapse for one subdomain while the rest of the site stays valid.
  6. Cross-check from a different network or exit region to confirm the failure is global; multi-origin setups can present a bad certificate from just one node.
  7. Don't disable certificate verification in your client. The validation that's failing happens between Cloudflare and the origin, so verify=False changes nothing except your own security.
  8. If the error persists for a day or more, the site operator has to fix their origin certificate — park the target and monitor rather than retrying aggressively.
526 Invalid SSL Certificate

Why your proxy can't cause — or fix — a 526

A 526 is decided entirely on the far side of Cloudflare: the edge inspects the origin's certificate and rejects it. Your proxy doesn't see that certificate at any point. HTTPS requests travel through ProxyOmega ports inside a CONNECT tunnel, encrypted end-to-end between your client and Cloudflare, so there is no step where the proxy could alter, replace, or damage certificate material in either direction.

Where proxy setup earns its keep on 526s is operational: quickly confirming the scope of the failure, keeping the rest of a crawl productive while one target is broken, and keeping error classes separate so a certificate incident on one site doesn't trigger IP rotation, credential churn, or other fixes aimed at the wrong layer.

Confirm scope from multiple regions

Switching the -country- value on a ProxyOmega username re-tests the target through a different Cloudflare data center and network path.

If every region returns 526, the origin certificate is broken for everyone and waiting is the fix. If it's regional, retry with backoff — you may be hitting one bad origin node.

Quarantine the target, keep the crawl moving

Status-aware retry classes let a scheduler park a 526-returning host on a slow poll while the rest of the job continues across other targets.

With per-port rotation on Budget Unlimited or pay-as-you-go Platinum ports, the rest of your queue doesn't have to wait on one site's expired certificate — see /use-web-scraping/ for pipeline patterns.

Keep TLS verification on

Because ProxyOmega tunnels TLS instead of intercepting it, your client's certificate verification keeps working normally through the proxy.

Leave it enabled: it protects your traffic and keeps your error logs honest — a real 526 shows up as a status code, while local trust problems still surface where you can actually fix them.

526 Invalid SSL Certificate

Status-aware retries that respect a 526

This pattern keeps certificate verification enabled, routes through a ProxyOmega residential port, and retries Cloudflare origin-side errors on schedules that match reality — quick for transient timeouts, patient for certificate problems that need the site operator.

import time
import requests

PROXY = "http://USERNAME:[email protected]:10000"
proxies = {"http": PROXY, "https": PROXY}

# Backoff schedules by error class (seconds)
DELAYS = {
    522: [30, 60, 120],     # transient reachability: quick retries
    524: [30, 60, 120],     # slow origin: quick retries
    525: [300, 900],        # origin TLS broken: be patient
    526: [900, 1800],       # origin cert invalid: usually fixed in hours
}

def fetch(url):
    r = requests.get(url, proxies=proxies, timeout=30, verify=True)
    for delay in DELAYS.get(r.status_code, []):
        time.sleep(delay)
        r = requests.get(url, proxies=proxies, timeout=30, verify=True)
        if r.status_code not in DELAYS:
            break
    return r

resp = fetch("https://example.com/")
print(resp.status_code)  # a persistent 526 means the site must renew its cert
FAQ

Frequently asked questions

What's the difference between error 525 and 526?
Both involve TLS between Cloudflare and the origin server in Full or Full (strict) SSL mode. A 525 means the handshake itself failed — no TLS listener, protocol or cipher mismatch. A 526 means the handshake completed but the certificate failed validation: expired, self-signed, untrusted, or issued for the wrong hostname. Neither is caused by your client or proxy.
Can I bypass error 526 with verify=False or curl -k?
No. Those flags relax certificate checking in your client, on a connection leg that already succeeded. The validation that's failing is performed by Cloudflare against the origin's certificate, out of your reach. You'd give up your own TLS protections and still receive the 526. The only real fix is the site operator installing a valid certificate.
How long does a 526 usually last?
It depends on the cause, but the most common one — an expired origin certificate — is typically fixed within hours of being noticed, since the whole site is affected until it is. Poll on a 15–30 minute schedule rather than hammering. If a 526 persists for days, deprioritize the target and check back periodically.
Why do I see 526 through my proxy but the site loads at home?
Occasionally the origin runs multiple servers and only one presents a bad certificate — which server Cloudflare contacts can vary by data center, and the data center varies with your exit IP's location. Cached pages can also mask errors for some visitors. Test several exit countries; if results differ by region, retry with backoff until you land on a healthy path.

Keep the crawl moving when a target breaks. Start routing today.

ProxyOmega gives you clean residential exits in 200+ countries to confirm scope fast — with unmetered ports so healthy targets keep moving.

ProxyOmega ProxyOmega

90M+ ethically-sourced IPs across 200+ countries and 30,000+ cities. Residential, mobile, ISP and IPv6 proxies for scraping and AI agents.

GDPRCCPA
Product
Premium Unlimited Budget Unlimited Residential / ISP Mobile IPv6 Chrome Extension
Solutions
Web scraping AI agents Price monitoring SERP & SEO Integrations All use cases
Resources
Glossary Error codes Free tools Proxies by platform Locations
Company
About Blog Docs Reseller program Affiliate Contact Sign in
© 2026 ProxyOmega Ltd. All rights reserved.