Error 525 - need clarification

Hello,
I added a new site to CloudFlare and am getting a 525 error. The URL is https://www.5dollarmaturedriving.com. From what I understand even though I am using CF’s Full SSL/TLS encryption mode I still need to install a NON self signed ssl certificate on my server as well? Is this correct? And if correct then why would I use CF’s cert if I still need to get my own?

With Full you need a certificate, but it is not validated so can be self signed, expired etc. Full strict requires a certificate that is valid (either issued by a trusted CA or a Cloudflare Origin Certificate. From the documentation:

Full SSL: Your origin supports HTTPS, but the certificate installed does not match your domain or is self-signed. Cloudflare will connect to your origin over HTTPS, but will not validate the certificate.

Full (strict): Your origin has a valid certificate (not expired and signed by a trusted CA or Cloudflare Origin CA) installed. Cloudflare will connect over HTTPS and verify the cert on each request.

You need to verify the configuration on your origin as 525 generally means your SSL configuration is not valid.

Using a valid certificate in a Full Strict configuration provides the greatest level of security end-to-end, and is the recommended configuration.

Check the CommunityTip on 525 errors:

Thank you for your reply.

Our installed SSL is self-signed so it should work. The origin supports SSL, installed SSL is self-signed and TLS 1.2 is the default.

But the connection is still failing. Perhaps the problem is with CloudFlare?

To illustrate TLS 1.2 and the SSL is self-signed on the origin server.

Certificate Information:
Common Name: 5dollarmaturedriving. com
Subject Alternative Names: 5dollarmaturedriving. com, mail. 5dollarmaturedriving . com, www. 5dollarmaturedriving. com, webdisk. 5dollarmaturedriving. com, webmail. 5dollarmaturedriving. com, cpanel. 5dollarmaturedriving . com
Valid From: July 13, 2020
Valid To: July 13, 2021

openssl s_client -connect 66.180.203.197:443 -servername 5dollarmaturedriving. com
CONNECTED(00000003)
depth=0 CN = 5dollarmaturedriving. com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = 5dollarmaturedriving. com
verify return:1

Certificate chain
0 s:/CN=5dollarmaturedriving. com
i:/CN=5dollarmaturedriving. com

Server certificate
-----BEGIN CERTIFICATE-----
MIID4DCCAsigAwIBAgIFAQeTNgIwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UEAwwY
NWRvbGxhcm1hdHVyZWRyaXZpbmcuY29tMB4XDTIwMDcxMzE4NTE0N1oXDTIxMDcx
MzE4NTE0N1owIzEhMB8GA1UEAwwYNWRvbGxhcm1hdHVyZWRyaXZpbmcuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2KYbhBJPFafelAfBXuMdsLsh
EF/eGnIWra/+oLuxnFgejAkSBmRiPMQVpz2AqHx0tnP94RRh9MEDy+JKEOIMvNbM
o2k4oaQ2DZDDDiPxMHEvMvQaaTEkeZMNoiK4hvOTvgwOKuvL5dj+YblNVP3hEeBa
DtdG/zPXwuG3R3VBons5mNp13q/VCILjNPjYoHQHzfm6geY5N5e7DtMyHQoaEtiY
8IrfhkJ8x5bg+3sd6z6ZePhIC0yx0+6eFKmKfLjurE3Bf/J/hhnvc6VSp/0Rv97K
7QqtJ4Rr9BEPHiIEJiw6pUD1MyqblckLrQxczDzfedKDOCScoLSbTvlLLEH5QQID
AQABo4IBGTCCARUwHQYDVR0OBBYEFJcPSavMA9GPYFeNCz4oAB+7vU9KMB8GA1Ud
IwQYMBaAFJcPSavMA9GPYFeNCz4oAB+7vU9KMAkGA1UdEwQCMAAwgccGA1UdEQSB
vzCBvIIYNWRvbGxhcm1hdHVyZWRyaXZpbmcuY29tgh1tYWlsLjVkb2xsYXJtYXR1
cmVkcml2aW5nLmNvbYIcd3d3LjVkb2xsYXJtYXR1cmVkcml2aW5nLmNvbYIgd2Vi
ZGlzay41ZG9sbGFybWF0dXJlZHJpdmluZy5jb22CIHdlYm1haWwuNWRvbGxhcm1h
dHVyZWRyaXZpbmcuY29tgh9jcGFuZWwuNWRvbGxhcm1hdHVyZWRyaXZpbmcuY29t
MA0GCSqGSIb3DQEBCwUAA4IBAQABCn5DVcxs90P1Wjb1A1CRXqU/FfoTqnNIfELQ
gGO4konCR70QWyQZxCwWx56mfxza8G3evDE7xIaxkNwvymROKEFqa6Afa7CVmUax
bhi0xGRnFAxTlowPXBzZDaaYYvxjEzINhVxh84xICfgW3GWzeKdHXBiMYB2lxvxC
5FfU1LBE7Wqz8O6mBGfG17OTsPJr5hU3pY1139eIOJOS2ogefBo9JaZCfrJzTby7
M/PWEQDsaUAvF0tyTx04FwXmLgmxGYA/kDr7KCQs9Ys/uBeabneDPlExaEOiK5Sk
GmVNyx8iWDboFG7ccBzgTd9iuxTZxAGhH2+1zjKXuQTNPQUs
-----END CERTIFICATE-----
subject=/CN=5dollarmaturedriving. com
issuer=/CN=5dollarmaturedriving. com

No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 1718 bytes and written 359 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7CF446203B7B375D4AEE74991A7927401719A77DD71194E70122874F22645769
Session-ID-ctx:
Master-Key: 1B2409080D6BE4327E885387425008770FB998676A3C918AA614D2E86E2231DD97689D7B3DC76FEC77D0249309F2701F
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 20 e3 55 cc 8b d5 51 87-10 f3 53 9c 80 ec 93 ee .U…Q…S…
0010 - 12 a7 bb cc 20 8c a4 cf-47 ef fc 15 6f cd c1 71 … …G…o…q
0020 - 5e 2a 3f 98 1b 74 09 1d-b0 06 5e dd 5b 1a 6d 63 ^*?..t…^.[.mc
0030 - 19 8e 39 1f 6d d6 4a 02-89 df 49 e3 bd 42 9d 5b …9.m.J…I…B.[
0040 - cb 04 37 5a 2c 41 55 35-4f fa 24 7f 0b bd 55 17 …7Z,AU5O....U. 0050 - 9b 2e 5c 56 0b bb e2 da-1d 4f ca 17 93 7c 16 4d ..\V.....O...|.M 0060 - a7 ec 91 52 17 d5 d5 c6-9c cc 3f 78 42 bc 21 23 ...R......?xB.!# 0070 - 04 f9 98 55 c8 e4 4e 67-bf 00 f7 7e 36 09 c9 bc ...U..Ng...~6... 0080 - ac cc 94 3b ba 8e fc f4-50 a7 40 b3 bb 9d bb 74 ...;[email protected] 0090 - ad 43 d9 f2 07 1c b4 07-49 db b2 30 f2 df ab c3 .C......I..0.... 00a0 - cb 3c e5 b2 3b ca d4 bb-ec c7 c2 3c 57 55 3c c0 .<..;......<WU<. 00b0 - dc 24 ac 56 18 76 c1 7d-e5 65 5f e4 ec 27 6f 62 ..V.v.}.e_…'ob
00c0 - 9a f5 d5 db 68 04 02 74-44 39 13 09 0a b5 35 f5 …h…tD9…5.
00d0 - d4 ec 25 5a 0c 83 94 66-d7 2d a6 da 8c b3 06 aa …%Z…f.-…

Start Time: 1594773813
Timeout   : 7200 (sec)
Verify return code: 18 (self signed certificate)

Hello all. Can anyone offer some input on this matter?

Strange since 5buckstraffic… is running (and working) behind Cloudflare. The only difference i can spot is that 5buckstraffic… has a valid DV certificate.

Are you sure that your (vHost) configuration is correct?

Hi,
The problem has been resolved. It seems when the CloudFlare account was created the A record IP was no auto populated correctly. Upon updating the IP it works now. Thank you for your help.

Your site will be still insecure as long as you do not have a proper certificate in place.

What do you mean? I have a self signed certificate as CloudFlare instructs for Full encryption mode. Why will my site not be secure?

“Full” is only very partially secure. Only “Full strict” is secure and cannot be intercepted (at least not without compromising a CA).

On “Full” Cloudflare is not verifying the certificate (which it obviously cannot do with a self-signed certificate) and hence everyone who can intercept the connection can place their own certificate.

Switch to “Full strict” and configure a proper certificate if you want a secure site.

I see. Ok thank you for explaining. Have a good day.