Receiving HTTP 526 Error from worker request not observed elsewhere

What looks fine
Certificate subject: *.svc.halowaypoint.com → matches the hostname you’re connecting to.

Issuer: Microsoft Azure RSA TLS Issuing CA 08 → a legitimate Microsoft intermediate CA.

Validity: NotBefore June 20, 2025 → NotAfter Dec 17, 2025 → certificate is currently valid.

Key strength: 2048‑bit RSA, SHA‑384 signature → modern and secure.

TLS negotiation: Completed successfully with a strong cipher (ECDHE-RSA-AES256-GCM-SHA384).

So the leaf certificate itself is fine.

⚠️ What’s wrong
The key line is:

Code
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
That means the server did not send the full certificate chain. Specifically:

You got the leaf cert (*.svc.halowaypoint.com).

But the server did not include the intermediate certificate (Microsoft Azure RSA TLS Issuing CA 08 → which chains up to a trusted Microsoft root).

Most browsers and OS trust stores can “fill in” missing intermediates automatically (they fetch them via AIA). But Cloudflare Workers (and many strict TLS clients) do not — they require the server to present the full chain. When the chain is incomplete, Cloudflare rejects it with HTTP 526.

What looks fine
Certificate subject: *.svc.halowaypoint.com → matches the hostname you’re connecting to.

Issuer: Microsoft Azure RSA TLS Issuing CA 08 → a legitimate Microsoft intermediate CA.

Validity: NotBefore June 20, 2025 → NotAfter Dec 17, 2025 → certificate is currently valid.

Key strength: 2048‑bit RSA, SHA‑384 signature → modern and secure.

TLS negotiation: Completed successfully with a strong cipher (ECDHE-RSA-AES256-GCM-SHA384).

So the leaf certificate itself is fine.

⚠️ What’s wrong
The key line is:

Code
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
That means the server did not send the full certificate chain. Specifically:

You got the leaf cert (*.svc.halowaypoint.com).

But the server did not include the intermediate certificate (Microsoft Azure RSA TLS Issuing CA 08 → which chains up to a trusted Microsoft root).

Most browsers and OS trust stores can “fill in” missing intermediates automatically (they fetch them via AIA). But Cloudflare Workers (and many strict TLS clients) do not — they require the server to present the full chain. When the chain is incomplete, Cloudflare rejects it with HTTP 526.