525 SSL Handshake error - but only occasionally

I have checked previous replies about this error, but could not find relevant help.

  1. The error appears very occasionally, probably in less than 1% of cases, maybe even way lower, but it will repeat now and then.

  2. We had Cloudflare DNS settings directed directly to the web server until Friday. The error was not happening. Since then, we switched to a load balancer, and it is redirecting traffic to the same web server, and errors started happening.

  3. Very difficult to replicate. There are no errors or any lines in the Apache logs of the web server.

  4. When we check TLS / Handshake via CURL command, suggested in various topics related to 525 error, everything works fine.

  5. Our SSL/TLS encryption mode is Full and has been so for long time.

Please help.

That should be Full Strict in the first place, otherwise you still have no real security.

As for the 525, if you say this only started with your load balancer, this will be an issue there and you either route to a server which is not properly configured or occasionally does not complete the handshake.

Is this a Cloudflare load balancer or your own?

We will try full/strict later on after we solve this.

Load balancer is set only to this one server at the moment, we will be adding the second one in next days. Load balancer is set at Hetzner, one of their standard LBs. We have been using it with the same settings earlier on, when it was connected to the other web servers (2 of them) and there were no errors like this.

We don’t have direct access to the LB and these are services that are set through Hetzner’s admin panel:

I would set Full Strict straight away, as you have no proper encryption other already now.

I would recommend to enable SSL logging everywhere and try to find out why your server or load balancer do not complete the handshake. Maybe you have some additional and invalid address configured. The topic itself is, I am afraid, a bit off-topic however and I would try StackExchange or Reddit.

As far as Cloudflare is concerned, the 525 simply means your origin did not complete a proper SSL handshake.

1 Like

Thanks for quick replies. We will try SSL logging.

Regarding the topic being off-topic, well I don’t really think it is. We are using Cloudflare in order to make our websites available, secure and fast. The community forum here should be able to help with that.

It is off-topic, as the issue is not Cloudflare related, but about some incorrect configuration on the origin side.

The forum is not intended for topics on server administration.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.