From 74cd3d598cceb7f62ff88137e424af3ef111eed7 Mon Sep 17 00:00:00 2001
From: Kiki-Y123 <109290423+Kiki-Y123@users.noreply.github.com>
Date: Fri, 13 Jun 2025 12:26:39 +0100
Subject: [PATCH 1/3] Update error-526.mdx

added this part:

If you are using self-signed SSL certificate at the origin server, use the following workaround to avoid an HTTP Error 526.

Add your self-signed SSL certificate to the Custom Origin Trust Store. This allows the Cloudflare edge to recognize your self-signed SSL certificate as valid.
In your Worker's configuration, enable the cots_on_external_fetch compatibility flag. This flag enables the use of the Custom Origin Trust Store when making external (grey-clouded) subrequests from a Cloudflare Worker.
---
 .../http-status-codes/cloudflare-5xx-errors/error-526.mdx | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
index 1ffbd4558c2481..455918d0d333f5 100644
--- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
+++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
@@ -39,6 +39,12 @@ Workers subrequests to any hostname outside your Cloudflare zone that is not pro
 
 As a result, a valid SSL certificate is required at the origin server.
 
+If you are using self-signed SSL certificate at the origin server, use the following workaround to avoid an HTTP Error `526`.
+
+1. Add your self-signed SSL certificate to the **[`Custom Origin Trust Store`](/ssl/origin-configuration/custom-origin-trust-store/)**. This allows the Cloudflare edge to recognize your self-signed SSL certificate as valid.
+2. In your Worker's configuration, enable the **[`cots_on_external_fetch` compatibility flag](/workers/configuration/compatibility-flags/#do-not-use-the-custom-origin-trust-store-for-external-subrequests)**. This flag enables the use of the **[`Custom Origin Trust Store`](/ssl/origin-configuration/custom-origin-trust-store/)** when making external (grey-clouded) subrequests from a Cloudflare Worker.
+
+
 ### Resolution
 
 :::note
@@ -56,4 +62,4 @@ Request your server administrator or hosting provider to review the origin web s
 
 ![Screen showing an SSL certificate with no errors.](~/assets/images/support/hc-import-troubleshooting_5xx_errors_sslshopper_output.png)
 
-If the origin server uses a self-signed certificate, configure the domain to use _Full_ _SSL_ instead of _Full SSL (Strict)_. Refer to [recommended SSL settings for your origin](/ssl/origin-configuration/ssl-modes).
\ No newline at end of file
+If the origin server uses a self-signed certificate, configure the domain to use _Full_ _SSL_ instead of _Full SSL (Strict)_. Refer to [recommended SSL settings for your origin](/ssl/origin-configuration/ssl-modes).

From 59727d9ed4a066fdca6a2049fd42803f1103e8b7 Mon Sep 17 00:00:00 2001
From: Nic <123965403+ngayerie@users.noreply.github.com>
Date: Tue, 17 Jun 2025 11:31:35 +0200
Subject: [PATCH 2/3] Update error-526.mdx

---
 .../cloudflare-5xx-errors/error-526.mdx       | 46 +++++++++++--------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
index 455918d0d333f5..004313e87cad24 100644
--- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
+++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
@@ -15,7 +15,27 @@ This error occurs when these two conditions are true:
 - Cloudflare cannot validate the SSL certificate at your origin web server.
 - [_Full SSL (Strict)_](/ssl/origin-configuration/ssl-modes/full-strict/) **SSL** is set in the **Overview** tab of your Cloudflare **SSL/TLS** app.
 
-#### Error 526 in the Zero Trust context
+#### Resolution
+
+Here are some options to fix or workaround this issue:
+
+- For a potential quick fix, set **SSL** to _Full_ instead of _Full (strict)_ in the **Overview** tab of your Cloudflare **SSL/TLS** app for the domain.
+
+- Add your self-signed SSL certificate to the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/). This allows the Cloudflare edge to recognize your self-signed SSL certificate as valid.
+
+- Request your server administrator or hosting provider to review the origin web server's SSL certificates and verify that:
+  - Certificate is not expired.
+  - Certificate is not revoked.
+  - Certificate is signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not self-signed).
+  - The requested or target domain name and hostname are in the certificate's **Common Name** or **Subject Alternative Name**.
+  - Your origin web server accepts connections over port SSL port `443`.
+  - [Temporarily pause Cloudflare](/fundamentals/manage-domains/pause-cloudflare/) and visit [https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com](https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com) (replace `www.example.com` with your hostname and domain) to verify no issues exists with the origin SSL certificate:
+
+  ![Screen showing an SSL certificate with no errors.](~/assets/images/support/hc-import-troubleshooting_5xx_errors_sslshopper_output.png)
+
+
+
+### Error 526 in the Zero Trust context
 
 When using [Cloudflare Gateway](/cloudflare-one/policies/gateway/), an HTTP Error `526` might be returned in the [following cases](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website):
 
@@ -33,33 +53,21 @@ When using [Cloudflare Gateway](/cloudflare-one/policies/gateway/), an HTTP Erro
   - Do not support [FIPS-compliant ciphers](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin).
   - Redirect all HTTPS requests to HTTP.
 
-#### Error 526 in the Workers context
+
+### Error 526 in the Workers context
 
 Workers subrequests to any hostname outside your Cloudflare zone that is not proxied by Cloudflare are always made using the **[Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/)** SSL mode, regardless of the Workers zone configuration.
 
-As a result, a valid SSL certificate is required at the origin server.
+#### Resolution
 
-If you are using self-signed SSL certificate at the origin server, use the following workaround to avoid an HTTP Error `526`.
+- Make sure the SSL certificate configured at the origin is valid.
 
-1. Add your self-signed SSL certificate to the **[`Custom Origin Trust Store`](/ssl/origin-configuration/custom-origin-trust-store/)**. This allows the Cloudflare edge to recognize your self-signed SSL certificate as valid.
-2. In your Worker's configuration, enable the **[`cots_on_external_fetch` compatibility flag](/workers/configuration/compatibility-flags/#do-not-use-the-custom-origin-trust-store-for-external-subrequests)**. This flag enables the use of the **[`Custom Origin Trust Store`](/ssl/origin-configuration/custom-origin-trust-store/)** when making external (grey-clouded) subrequests from a Cloudflare Worker.
+- Add you self-signed certificate to the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) and enable the [`cots_on_external_fetch` compatibility flag](/workers/configuration/compatibility-flags/#do-not-use-the-custom-origin-trust-store-for-external-subrequests) in your Worker's configuration. 
+This flag enables the use of the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) when making external (grey-clouded) subrequests from a Cloudflare Worker.
 
 
-### Resolution
 
-:::note
-For a potential quick fix, set **SSL** to _Full_ instead of _Full (strict)_ in the **Overview** tab of your Cloudflare **SSL/TLS** app for the domain.
-:::
 
-Request your server administrator or hosting provider to review the origin web server's SSL certificates and verify that:
 
-- Certificate is not expired.
-- Certificate is not revoked.
-- Certificate is signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not self-signed).
-- The requested or target domain name and hostname are in the certificate's **Common Name** or **Subject Alternative Name**.
-- Your origin web server accepts connections over port SSL port `443`.
-- [Temporarily pause Cloudflare](/fundamentals/manage-domains/pause-cloudflare/) and visit [https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com](https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com) (replace `www.example.com` with your hostname and domain) to verify no issues exists with the origin SSL certificate:
 
-![Screen showing an SSL certificate with no errors.](~/assets/images/support/hc-import-troubleshooting_5xx_errors_sslshopper_output.png)
 
-If the origin server uses a self-signed certificate, configure the domain to use _Full_ _SSL_ instead of _Full SSL (Strict)_. Refer to [recommended SSL settings for your origin](/ssl/origin-configuration/ssl-modes).

From 1f4024825e2f4e49e190b9234e2fe2048434ae38 Mon Sep 17 00:00:00 2001
From: Nic <123965403+ngayerie@users.noreply.github.com>
Date: Tue, 17 Jun 2025 11:33:12 +0200
Subject: [PATCH 3/3] Update error-526.mdx

---
 .../http-status-codes/cloudflare-5xx-errors/error-526.mdx       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
index 004313e87cad24..32ac077570ed7d 100644
--- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
+++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx
@@ -62,7 +62,7 @@ Workers subrequests to any hostname outside your Cloudflare zone that is not pro
 
 - Make sure the SSL certificate configured at the origin is valid.
 
-- Add you self-signed certificate to the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) and enable the [`cots_on_external_fetch` compatibility flag](/workers/configuration/compatibility-flags/#do-not-use-the-custom-origin-trust-store-for-external-subrequests) in your Worker's configuration. 
+- Add your self-signed SSL certificate to the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) and enable the [`cots_on_external_fetch` compatibility flag](/workers/configuration/compatibility-flags/#do-not-use-the-custom-origin-trust-store-for-external-subrequests) in your Worker's configuration. 
 This flag enables the use of the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) when making external (grey-clouded) subrequests from a Cloudflare Worker.