Cloudflare erroneously giving 525 errors Using CF Origin Certs or Letsencrypt

What is the name of the domain?

sdn.stingernetworks.us

What is the error number?

525

What is the error message?

SSL Handshalke Failed

What is the issue you’re encountering

SIte has been working on CF for 6 years now its throwin 525 errors for no apparent reason.

What steps have you taken to resolve the issue?

Checked that the LE certificate was up to date; it was. Downgraded SSL to Flexible, which did not resolve the error. Downgraded TLS to 1.0 and disabled 1.3, which also did not fix the issue. Removed LE scripts and installed a Cloudflare Origin certificate, but the site is still throwing 525 errors. The ciphers are compatible, and the origin certificate is valid, but it refuses to connect. However, I can connect perfectly fine if I bypass Cloudflare and connect directly to the IP. I receive an invalid certificate error with the Cloudflare Origin certificate, but the connection works without issues when bypassing Cloudflare. I’m unsure of further steps to resolve this.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Flexible

What are the steps to reproduce the issue?

go to the domain

I am unable to reproduce the 525 error on your site as I’m being blocked by your WAF rule. However, referring to the Cloudflare 525 error documentation, you may want to review it either the issue is persistently or intermittently happen.

525 errors indicate that the SSL handshake between Cloudflare and the origin web server failed. Error 525 occurs when these two conditions are true:

  1. The SSL handshake :arrow_upper_right: fails between Cloudflare and the origin web server, and
  2. Full or Full (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.

Note

If your hosting provider frequently changes your origin web server’s IP address, refer to Cloudflare’s documentation on dynamic DNS updates.

Resolution

Contact your hosting provider to exclude the following common causes at your origin web server:

  • No valid SSL certificate installed
  • Port 443 (or other custom secure port) is not open
  • No SNI support
  • The cipher suites presented by Cloudflare to the origin do not match the cipher suites supported by the origin web server

Note

If 525 errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to log mod_ssl errors :arrow_upper_right:. Also, nginx includes SSL errors in its standard error log, but may possibly require an increased log level :arrow_upper_right:.

Additional checks

  • Check if you have a certificate installed on your origin server. You can check this article for more details on how to run some tests. In case you don’t have any certificate, you can create and install our free Cloudflare origin CA certificate. Using Origin CA certificates allows you to encrypt traffic between Cloudflare and your origin web server.
  • Review the cipher suites your server is using to ensure they match what is supported by Cloudflare.
  • Check your server’s error logs from the timestamps you see 525s to ensure there are errors that could be causing the connection to be reset during the SSL handshake.

You’d need to access port 8443, which might explain why you’re seeing a different error. I have already done all of that.

First things first:

"Full or Full (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app."

This is set to flexible, which is why I don’t understand the error. I changed it to full, and the error went from constant to intermittent, which confuses me even more.

"No valid SSL certificate installed."

It previously had a valid Let’s Encrypt cert installed, but I’ve now switched it to a 15-year Cloudflare origin cert with the same 525 errors occurring.

"Port 443 (or other custom secure port) is not open."

It is open and accessible, and can be accessed without issue by IP, just not by hostname.

"No SNI support."

SNI is supported.

"The cipher suites presented by Cloudflare to the origin do not match the cipher suites supported by the origin web server."

Current cipher is TLS_AES_128_GCM_SHA256.

"If 525 errors occur intermittently, review the origin web server error logs to determine the cause."

There are no logs on the server indicating anything related to SSL. The 525 errors aren’t even showing in the logs, which makes me think the requests aren’t making it past Cloudflare because I do see the access attempts when I bypass Cloudflare and access by IP, but not when using the hostname.

"Check if you have a certificate installed on your origin server. You can check this article for more details on how to run some tests."

Results of the tests are successful, however, in the browser there are still errors.

"Check your server’s error logs from the timestamps you see 525s to ensure there are errors that could be causing the connection to be reset during the SSL handshake."

There are no log entries relating to a 525 error on the web server. The requests don’t even seem to hit the web server at all when the Cloudflare 525 error is thrown.

Sorry for the crappy reply method. I spent over a day trying to figure out why the forum software mistakenly detects nonexistent links in my post, and it refused to let me reply unless I formatted it like this.Cloudflare seems to be messing up across the board right now

The most likely reason for a 525 error would be a firewall or similar service that prevents requests from reaching your actual webserver.

As to the SSL mode, I think the Flexible setting might be ignored when you use a non-default SSL port, but I could be wrong there.

I can’t visit the site myself as I am getting blocked by the firewall.

Are you outside the US?

I basically blocked non US Visitors since its a network administration software and i have no non- us clients.

Why would a firewall block only requests from cloudflare? Via IP i get an invalid cer (becasue CF origin isn’t valid to a browser) bot no interruption in traffic and requests that don’t use https go through with no issues as well. Its a Unifi USG Pro4 and its been operating this service exactly this way for 6 years without any interruptions until yesterday. no configuration changes occurred in CF Dashboard or in the USG But now constant 525s

Yes.

Could be that you are using a service like fail2ban that block IP addresses that were used for malicious purposes, or that you are rate-limiting if too many requests are coming from the same IP address.

525’s can be really annoying to debug.I believe 525 happens when a TCP connection was established successfully, but the Handshake failed for a reason other than an invalid certificate (that would be a 526).

So you’d want to find out where the requests are actually going to so you can log the (attempted) handshake.

Looking at the USG there are no block rules in place so I have no idea but its driving me nuts. I’m probably going to try creating a tunnel between cloudflare and my USG and configuring things that way, Probably a better security solution anyways.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.