Authenticated Origin Pull - 525 SSL Handshake failed wrong curve

I’m using the authenticated origin pull tls/ssl feature and receive an email outlining that I need to update a certificate on my server:

Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .

I followed the instructions in this support article and installed the certificate linked in the article.

I included this in my nginx settings for the site:

    ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
    ssl_verify_client on;

And my nginx.conf file contains

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve auto;

But accessing the site leads to the following nginx error:

525 SSL Handshake

2019/12/21 05:31:22 [crit] 21270#21270: *9 SSL_do_handshake() failed (SSL: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve) while SSL handshaking, client:, server:

My server details:
OpenSSL 1.1.1 11 Sep 2018
Ubuntu 18.04.3 LTS
nginx/1.14.0 (Ubuntu)

There seem to be many related issues reported here on the community forums but I wasn’t able to find any kind of definitive answer. I’d include links but I’m a new user and limited to 2 links per post.

Any help would be appreciated!

There was one case here on the forum where the ssl_ecdh_curve parameter was not correctly set, but that doesnt seem to be the case here.

Did you just upload the new certificate or make any other changes (e.g. update of OpenSSL)? doesnt return all that much and it is mostly either Node.js related or actually Cloudflare postings. Have you already tried setting ssl_prefer_server_ciphers to off?

Overall this is probably a case best for a support ticket at

This topic was automatically closed after 30 days. New replies are no longer allowed.