Cloudflare to nginx 525 error

Website, Application, Performance DNS & Network
1

What is the name of the domain?

candybag.cc

What is the error number?

525

What is the error message?

SSL handshake failed

What is the issue you’re encountering

boutght a domain on cloudflare, and config dns A record to my server(which uses nginx as a proxy), have installed certificates(per and key), but still got 525

What steps have you taken to resolve the issue?

  1. checked certificates
  2. checked nginx conf
  3. set ssl mode to full(strict)
  4. disable proxy from cloudflare

What feature, service or problem is this related to?

I don’t know

What are the steps to reproduce the issue?

Request my domain

Screenshot of the error

11111111111111.jpg
11111111111111.jpg2090×856 157 KB

3

I think it’s because the ssl certificate I generate on cloudflare not compatible with nginx, but I don’t know how to solve this problem.

2024/12/25 12:30:24 [info] 22#22: *10 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 117.147.36.3, server: 0.0.0.0:443
2024/12/25 12:30:24 [info] 22#22: *11 SSL_do_handshake() failed (SSL: error:0A000416:SSL routines::sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 117.147.36.3, server: 0.0.0.0:443

My nginx conf:

image
image621×207 11.7 KB

And my pem file is in below format:

-----BEGIN CERTIFICATE-----
(cert.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(origin_ca_ecc_root.pem)
-----END CERTIFICATE-----

Dno’t know what else I can do :melting_face:

4

And I tried openssl s_client -connect xxxxxx:443, I get Verify return code: 21 (unable to verify the first certificate), might be that I dont have the full certificate chain, but wondering how to solve this

5

You shouldn’t have the root certificate in there. It does you no good.

Nginx seems to be unable to open/parse the certificate. Make sure the file permissions are so that nginx can access it.

Also, you should not be using TLSv1 and 1.1, rather only 1.2 and 1.3.

1 Like
6

Hi thanks for your reply, I remove TLSv1 and 1.1,and only left 1.2 and 1.3.

Also removed root certificate in the pem, and certificate file permissions are below:

-rw-rw-rw- 1 root root 1704 Dec 25 21:50 candybag.cc.key
-rw-rw-rw- 1 root root 1667 Dec 25 21:49 candybag.cc.pem

the candybag domain still not working, still shows no peer certificate available

image
image992×644 80.9 KB

7

I only left origin certificate inthe pem, still shows this error

image
image1276×280 46 KB

8

Did you maybe not activate the config file?

When I load the page on port 443, but via http, I get redirected to this page, but that might just be an error caused by loading http on port 443:

image
image1275×874 52.6 KB

10

I have deployed the nginx to aws e2c, it still not working

11

Tested result below:

image
image1262×284 63.1 KB

12

What does the nginx error log say?

13

After I moved my application to E2C too, it’s working now, so I guess it’s because tencent cloud needs my domain to have a registration there, otherwise even nginx can not reverse proxy my application even through port.

Really thanks for you reply and help!!!

1 Like
14

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.