Error 522 missing edge certificates

I have the same issue.
I setup an apache debian web server
Cloudflare’s A record points to the correct IP
I obtained a certificate from (CA) Let’s Encrypt using sudo apt install certbot python3-certbot-apache
Lets test it: with proxy turned off at Cloudflare, HTTPS works. YAY
now I try to setup the website using Cloudflare
I created Origin certificate, got the cert key and private key
uploaded them to web server, configured apache (so it no longer uses Lets Encrypt)
verified cert by using curl -I --verbose --insecure https://example.com --resolve example com:443:123.45.67.89
Verified cert is cloudflare.
i didnt config edge certificate on Cloudflare, but i can see Backup cert from Let’s Encrypt in cloudflares portal (did cloudflare automatically grabbed the cert?)

so this should work because:
Web server has correct cert to talk to cloudflare.
Edge has correct (i think) cert to talk to clients.

But when i do curl --verbose --insecure https example com, it says

  • TLSv1.3 (IN), TLS alert, handshake failure (552):

Take note, the web server no longer uses Lets Encrypt cert since that is not what Cloudflare is expecting when it talks to the origin server

I have confirmed server is using TSL1.3 AES_256_GCM_SHA384 (which is supported by Cloudflares edge servers)

but if we curl --verbose --insecure https example com
we get * TLSv1.3 (IN), TLS alert, handshake failure (552):

Why would the server immediately send 552 from a client hello?
confirmed that the 552 came from Cloudflares edge servers Connected to example.com (172.67.206.193) port 443

Here is the entire 552 output:

  • TLSv1.3 (IN), TLS alert, handshake failure (552):
  • LibreSSL/3.9.1: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
  • Closing connection
    curl: (35) LibreSSL/3.9.1: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

What is the domain?

ok I have more info:
i have changed to using Cloudflares certificate, root certificate and private key but still getting the same result:
openssl s_client -connect mathewhystek com:443 -servername mathewhystek com
OUTPUT:
78470000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl\record\rec_layer_s3.c:865:SSL alert number 40

Wireshark: CLIENT HELLO TSL1.2
Wireshark: TLSv1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)

We dont even get SERVER HELLO back

Cloudflare is set to proxy DNS MathewHystek com

SSL/TLS encryption mode is Flexible

if I openssl s_client -connect 34.125.47.65:443 -servername mathewhystek com:
Connecting to 34.125.47.65
CONNECTED(0000015C)
depth=1 C=US, O=Cloudflare, Inc., OU=Cloudflare Origin SSL Certificate Authority, L=San Francisco, ST=California
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C=US, O=Cloudflare, Inc., OU=Cloudflare Origin SSL Certificate Authority, L=San Francisco, ST=California
verify return:1
depth=0 O=Cloudflare, Inc., OU=Cloudflare Origin CA, CN=Cloudflare Origin Certificate
verify return:1

Certificate chain
0 s:O=Cloudflare, Inc., OU=Cloudflare Origin CA, CN=Cloudflare Origin Certificate
i:C=US, O=Cloudflare, Inc., OU=Cloudflare Origin SSL Certificate Authority, L=San Francisco, ST=California
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 25 03:12:00 2024 GMT; NotAfter: May 22 03:12:00 2039 GMT
1 s:C=US, O=Cloudflare, Inc., OU=Cloudflare Origin SSL Certificate Authority, L=San Francisco, ST=California
i:C=US, O=Cloudflare, Inc., OU=Cloudflare Origin SSL Certificate Authority, L=San Francisco, ST=California
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 23 21:08:00 2019 GMT; NotAfter: Aug 15 17:00:00 2029 GMT

Certificate setup is correct.

The question is, why is Cloudflare simply dropping the TLS connection attempt when there is a CLIENT HELLO ?

On your origin you are using a Cloudflare origin certificate…

* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: May 25 03:12:00 2024 GMT
*  expire date: May 22 03:12:00 2039 GMT
*  issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.

The setup is ok, but bear in mind this certificate is only trusted by Cloudflare so requires use of the proxy as you hope to do. Direct connections to your origin will warn this certificate is self-signed as expected.

Next, for using this origin certificate by the Cloudflare proxy, do not use “Flexible”, use only “Full (strict)”.

Finally, the reason you are getting issues with the SSL connection to the Cloudflare edge is that no edge SSL certificate for your domain appears to have been deployed.
https://cf.sjr.org.uk/tools/check?93bd34c62e824948993374869503ed2f#connection-server-https

Check that Universal SSL is enabled in your dashboard at the bottom of this page…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

If it is enabled, disable it, wait 2-3 minutes, then enable it again. See if the certificate is deployed. If it doesn’t, then post back.

1 Like

yep, i switched to flexible from full for diagnostic reasons. I have switched back to Full (strict)

I have Cloudflare certs and Lets Encrypt certs. I have tried either configuration on the web server.

I can see backup certificates in the edge configuration. Not sure where they came from but I figured they are universal and I assume I did not need to do anything further. So I will disable Universal SSL:

I have disabled Universal SSL

waiting 5 minutes…

re-enabled Universal SSL.

waiting 5 minutes…

confirmed cert pickup

Success!
issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5

Thats amazing that there is no GUI checksum for existing universal SSL cert in Cloudflare? Or is there?

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.