my site grapheine (dot) com is hosted by OVH. I have an SSL certificate (Let’s Encrypt) activated on the server side. At Cloudflare, when I am in Full SSL/TLS encryption I get irregular 525 errors. When I am in Flexible, I have 520 errors very often.
I paused Cloudflare (gray cloud), then made sure our server’s SSL certificate was working. It is a Let’s Encrypt certificate, and its Cipher mode is :
Connection : Protocol TLS 1.3
Key exchange X25519
Server signature RSA-PSS with SHA-256
Concerning the logs, I’ve looked at the logs available on our shared hosting, but I don’t see any logs concerning the SSL. Maybe I don’t have access to it.
I just want to make sure that everything works perfectly 100% of the time.
Thanks in advance for your help.
Both 520 and 525 together tells us that your origin server (or some device in front of it) is resetting the TCP connection. When it happens during the TLS handshake you will get a 525 error, if it happens after you will get a 520.
You may not see SSL specific things in your logs because likely this isn’t strictly an error at the TLS level - your origin may be erroring for other reasons. The best thing to do is to check your logs carefully while reproducing the problem - if you don’t see any errors there then contact your host and make sure Cloudflare’s IP range isn’t being rate limited.
I see in my logs “nginx-ssl early hints”
##.192.112.214 www(dot)grapheine(dot)com - [12/Dec/2022:13:39:48 +0100] “GET / HTTP/1.1” 200 17804 “-” “nginx-ssl early hints”
I remove the “Optimized Delivery / Early Hints” option…
But error 525 still arrive intermitently…
You need to look in your error log - not your access log.
If you do that while reproducing the problem you should see if the web server is erroring and breaking the connection.
The site’s error logs do not indicate any particular error.
You will need to talk to your host and understand why they are resetting the TCP connections. The first thing to make 100% sure of is that they’re not rate limiting any of the Cloudflare IP ranges listed on cloudflare.com/ips
ovh support confirms that Cloudflare IPs are not blacklisted
and then the error is intermittent. Once on … the connection works. The rest of the time I get the error 525
At this point - Cloudflare can’t really tell you anything else about this error. From the perspective of a Cloudflare server making a TCP connection to your origin, all Cloudflare knows is that your server prematurely reset the connection - we cannot know why it did that. That’s why your host would need to dig into this problem.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.