Error 522 with Full (Strict) SSL/TLS


I have an Ubuntu virtual machine running Apache2 to serve a website through Cloudflare dns proxies. I have done my best to install the certificate, the key, and a certificate chain. Flexible SSL/TLS works fine, but Full (Strict) results in error 522.

According to my error logs, this is because “AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate!”, followed by “AH02604: Unable to configure certificate [site]:443:0 for stapling.”

default-ssl.conf and [site].conf are both the following:

        <VirtualHost [site]:443>

                ServerAdmin [handle]@[site]
	            ServerName [site]

                DocumentRoot /var/www/

                ErrorLog ${APACHE_LOG_DIR}/error.log

                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/certificate/[site].pem

                SSLCertificateKeyFile /etc/certificate/[site].key

                SSLCertificateChainFile /etc/certificate/origin_ca_ecc_root.pem

                <FilesMatch "\.(cgi|shtml|phtml|php)$">

                                SSLOptions +StdEnvVars


                <Directory /usr/lib/cgi-bin>

                                SSLOptions +StdEnvVars




Screenshot of the error below. I would appreciate any advice, thank you.

Hello again,

I set SSLUseStapling to “off” in ssl-params.conf, default-ssl.conf and [site].conf. Public site access still times out in the same way, with the same Cloudflare error code, but there are no longer any new errors generated in the log.

Welcome to the Cloudflare Community. :logodrop:

What certificate is securing your origin server?

What happens when you pause Cloudflare and connect directly to your origin server using HTTPS?

Hello, thank you.

I am using an origin certificate and key generated by Cloudflare for SSL/TLS, along with a certificate chain (also provided by Cloudflare).

When I disable the proxies and turn off SSL/TLS, an https connection attempt results in “NET::ERR_CERT_AUTHORITY_INVALID” because the security certificate “is not trusted.”

I gather this is working as intended, since it is an origin certificate?

As long as the only unknown certificate authority is the only anomaly, that sounds good.

Have you worked through the troubleshooting guide for 522 errors?

Thank you for this!

I investigated the first item on the list (blocked Cloudflare IPs) and realized I had set up https port forwarding incorrectly. Problem solved as soon as I forwarded everything from port 443 to the server.

Thanks again, take care.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.