Error
Try the suggestions in this Community Tip to help you fix Error 525: SSL handshake failed.
Background
Error 525 indicates that the SSL handshake between Cloudflare and the origin web server failed. This only occurs when the domain is using Cloudflare Full or Full (Strict) SSL mode. This is typically caused by a configuration issue in the origin web server, when this happens, you’ll see “Error 525: SSL handshake failed”.
Quick Fix Ideas
-
If you are a site visitor, report the problem to the site owner. Neither this Community nor Cloudflare Support can assist you. Cloudflare Support only works with the verified owner of the domain.
-
Make sure you have a valid SSL certificate installed on your origin server1.
- To display your origin certificate, replace 192.0.2.0 with the origin IP address of your web server & replace
www.example.comwith your domain and host name:
$ curl -svo /dev/null https://www.example.com --connect-to ::192.0.2.0 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"
-
Check with your hosting provider to make sure they’re listening on port 443/whatever other port you are using.
-
Check to make sure your origin server is properly configured for SNI.
-
The cipher suites that Cloudflare accepts and the cipher suites that the origin server supports do not match. Review the cipher suites your server is using to ensure they match what is supported by Cloudflare. A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.
-
If you are the site owner and you’re only seeing errors intermittently, this suggests the TCP connection between Cloudflare and your origin is being reset during the SSL handshake causing the error. Ask your hosting provider/system administrator to check if there are any server issues. Reviewing your webserver access/error logs would be a good place to locate this information.
-
Note that Apache must be configured to log mod_ssl errors and nginx includes these errors in its standard error log, but it may be necessary to increase the log level.
-
Pause Cloudflare or update your local hosts file to point directly at your server IP to test that your server is presenting a SSL certificate. If you do not have a certificate installed on your server you can generate one using our Origin CA certificates. This is a free certificate for the purpose of encrypting the connection between Cloudflare and your web server, so that you do not need to purchase a certificate.
-
If you cURL to the origin on port 443 and receive the error
error:1408F10B:SSL routines:ssl3_get_record:wrong version number, disable TLS 1.3 on the Edge Certificates tab of the SSL/TLS app on the Cloudflare dashboard. To determine what TLS version is currently supported, use the following cURL command, replaceMYORIGINIPwith the IP address shown on the A record of your DNS app in the Cloudflare dashboard andwww.example.comwith your domain:
$ curl -svo /dev/null https://www.example.com --connect-to ::MYORIGINIP 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"
Test a specific TLS version by adding one of the following options to your cURL:
- –tlsv1.0
- –tlsv1.1
- –tlsv1.2
- –tlsv1.3
Lite Reading
https://support.cloudflare.com/hc/en-us/articles/115003011431#525error
Community Tutorial
Learning Center
What Is SSL? | SSL and TLS
Background Resources
Help Center
YouTube
Research The Issue
Community
Google
Security Option
If you need a deeper subdomain with HTTPS, such as www.subdomain.example.com, then you should consider Advanced Certificate Manager, to cover more than one level of subdomain, remove Cloudflare branding from the Universal certificate, or adjust the shortest certificate lifespan.
If You Need More Help
This community of other Cloudflare users may be able to assist you, login to Cloudflare and post your question to the Community. When you post on the Community make sure to include as much of this information as possible: the specific error message you are seeing, the URLs this is happening on, screen shot of the error, and the steps to reproduce the error. Please indicate what troubleshooting steps you’ve tried in order to help us help you.
This is a Cloudflare Community Tip, to review other tips click here.
Çevirme…traduzir…翻译…traducir…Traduire…Übersetzen…
Translate this Tip
FXHFCT 103119
1Caveat: When checking the origin server, the insecure -k option needs to be used to skip general unknown CA SSL certificate problem: unable to get local issuer certificate errors which are expected if you are using a Cloudflare Origin Certificate. For example:
Not using insecure option:
$ curl -svo /dev/null https://example.com --connect-to ::192.0.2.0
* Connecting to hostname: 192.0.2.0
* Trying 192.0.2.0:443...
* TCP_NODELAY set
* Connected to 192.0.2.0 (192.0.2.0) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [805 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
Using insecure option:
$ curl -svo /dev/null https://example.com --connect-to ::192.0.2.0 -k
* Connecting to hostname: 192.0.2.0
* Trying 192.0.2.0:443...
* TCP_NODELAY set
* Connected to 192.0.2.0 (192.0.2.0) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [805 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
* start date: Apr 23 05:06:00 2019 GMT
* expire date: Apr 19 05:06:00 2034 GMT
* issuer: C=US; ST=California; L=San Francisco; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL ECC Certificate Authority
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x556fbeff5880)
} [5 bytes data]
> GET / HTTP/2
> Host: example.com
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
} [5 bytes data]
< HTTP/2 404
< date: Fri, 22 Jul 2022 11:20:49 GMT
< server: servername
<
{ [0 bytes data]
* Connection #0 to host 192.0.2.0 left intact