521 Even though web server is fine

I’m having a weird problem with one of my sites where Cloudflare is showing a 421 error even though the web server is responding just fine. I have double checked with the docs and ran the following command from my local machine and I see the response that I am expecting. However, when visiting the website directly I get the 521 error.

The firewall is set to whitelist all traffic from Cloudflare’s network already.

I am not sure where to go from here. Any help is appreciated.

meisams-mbp-2:~ meisam$ curl --silent --verbose https://www.trekpc.ca --resolve www.trekpc.ca:443:*.*.*.*

* Added www.trekpc.ca:443:*.*.*.* to DNS cache

* Rebuilt URL to: https://www.trekpc.ca/

* Hostname www.trekpc.ca was found in DNS cache

* Trying *.*.*.*...

* TCP_NODELAY set

* Connected to www.trekpc.ca (*.*.*.*) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

* CAfile: /etc/ssl/cert.pem

CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server accepted to use http/1.1

* Server certificate:

* subject: CN=trekpc.ca

* start date: Nov 2 06:52:11 2018 GMT

* expire date: Jan 31 06:52:11 2019 GMT

* subjectAltName: host "www.trekpc.ca" matched cert's "www.trekpc.ca"

* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3

* SSL certificate verify ok.

> GET / HTTP/1.1

> Host: www.trekpc.ca

> User-Agent: curl/7.54.0

> Accept: */*

> 

< HTTP/1.1 200 OK

< Server: nginx/1.10.3 (Ubuntu)

< Date: Fri, 02 Nov 2018 07:59:34 GMT

< Content-Type: text/html; charset=UTF-8

< Transfer-Encoding: chunked

< Connection: keep-alive

< Link: <https://www.trekpc.ca/wp-json/>; rel="https://api.w.org/"

< Link: <https://www.trekpc.ca/>; rel=shortlink

< 

<!doctype html><html lang=".. (what I expect to see)

Considering you mentioned a firewall I’d first make sure you whitelisted the right addresses.

Which ones did you whitelist?

Everything on https://www.cloudflare.com/ips/

In that case I’d temporarily unblock everything to verify it is not the firewall blocking anything accidentally.

Did that as well to no avail. I have just temporarily disabled Cloudflare and its working properly but that isn’t what I want to happen.

Everything was working just fine without making any changes for a few months and then all of a sudden it stopped working yesterday.

So Cloudflare still couldnt connect but you could connect directly?

Yup that is whats confusing here.

At this point I can only suggest to contact support.

I’m not sure how I would do that. Everything on the support center points to the articles that have things for me to try, but I have tried all of that and nothing has worked so far.

https://support.cloudflare.com/requests/new

Hi @meisam, the suggestion from @sandro is the best. When you submit that request, it will trigger a set of automated tests that will help support assist you. You should include a link to this thread for the Support Engineer to see steps so far. This Error 521 Community Tip was just published, while it may be somewhat redundant to the steps you’ve taken, it may offer insight while you’re interacting with Support. Please post back and let us know how it works out.

1 Like

I have submitted a ticket linking this thread. I will update this post when the issue is resolved.

1 Like

Perfect, thank you. What is the ticket number?

The ticket number is 1595460. I have yet to hear back from them though.

How temporary do you think this will be eventually :innocent:

Touché! :smile:

Admit it, you were waiting for the point where you could return that gesture :wink:

Seriously though, I’d expect that temporariness to be vastly more temporary than conveniently setting TLS to dontcare mode :wink:
In this case something about five to ten minutes, unblock -> test -> block.

2 Likes

Wholeheartedly agree on all points! :slight_smile:

2 Likes

I have re-enabled Cloudflare on my domain it at the suggestion of the support engineer and it seems to be working properly now.

What was the issue though?

Support Engineer suspected rate limiting and diagnosed by doing a force overriding to Cloudflare IP’s via cURL