I added a new site to CloudFlare and am getting a 525 error. The URL is https://www.5dollarmaturedriving.com. From what I understand even though I am using CF’s Full SSL/TLS encryption mode I still need to install a NON self signed ssl certificate on my server as well? Is this correct? And if correct then why would I use CF’s cert if I still need to get my own?
With Full you need a certificate, but it is not validated so can be self signed, expired etc. Full strict requires a certificate that is valid (either issued by a trusted CA or a Cloudflare Origin Certificate. From the documentation:
Full SSL: Your origin supports HTTPS, but the certificate installed does not match your domain or is self-signed. Cloudflare will connect to your origin over HTTPS, but will not validate the certificate.
Full (strict): Your origin has a valid certificate (not expired and signed by a trusted CA or Cloudflare Origin CA) installed. Cloudflare will connect over HTTPS and verify the cert on each request.
You need to verify the configuration on your origin as 525 generally means your SSL configuration is not valid.
Using a valid certificate in a Full Strict configuration provides the greatest level of security end-to-end, and is the recommended configuration.
Check the CommunityTip on 525 errors:
Thank you for your reply.
Our installed SSL is self-signed so it should work. The origin supports SSL, installed SSL is self-signed and TLS 1.2 is the default.
But the connection is still failing. Perhaps the problem is with CloudFlare?
To illustrate TLS 1.2 and the SSL is self-signed on the origin server.
Common Name: 5dollarmaturedriving. com
Subject Alternative Names: 5dollarmaturedriving. com, mail. 5dollarmaturedriving . com, www. 5dollarmaturedriving. com, webdisk. 5dollarmaturedriving. com, webmail. 5dollarmaturedriving. com, cpanel. 5dollarmaturedriving . com
Valid From: July 13, 2020
Valid To: July 13, 2021
openssl s_client -connect 18.104.22.168:443 -servername 5dollarmaturedriving. com
depth=0 CN = 5dollarmaturedriving. com
verify error:num=18:self signed certificate
depth=0 CN = 5dollarmaturedriving. com
0 s:/CN=5dollarmaturedriving. com
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 1718 bytes and written 359 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 20 e3 55 cc 8b d5 51 87-10 f3 53 9c 80 ec 93 ee .U…Q…S…
0010 - 12 a7 bb cc 20 8c a4 cf-47 ef fc 15 6f cd c1 71 … …G…o…q
0020 - 5e 2a 3f 98 1b 74 09 1d-b0 06 5e dd 5b 1a 6d 63 ^*?..t…^.[.mc
0030 - 19 8e 39 1f 6d d6 4a 02-89 df 49 e3 bd 42 9d 5b …9.m.J…I…B.[
0040 - cb 04 37 5a 2c 41 55 35-4f fa 24 7f 0b bd 55 17 …7Z,AU5O....U. 0050 - 9b 2e 5c 56 0b bb e2 da-1d 4f ca 17 93 7c 16 4d ..\V.....O...|.M 0060 - a7 ec 91 52 17 d5 d5 c6-9c cc 3f 78 42 bc 21 23 ...R......?xB.!# 0070 - 04 f9 98 55 c8 e4 4e 67-bf 00 f7 7e 36 09 c9 bc ...U..Ng...~6... 0080 - ac cc 94 3b ba 8e fc f4-50 a7 40 b3 bb 9d bb 74 ...;[email protected] 0090 - ad 43 d9 f2 07 1c b4 07-49 db b2 30 f2 df ab c3 .C......I..0.... 00a0 - cb 3c e5 b2 3b ca d4 bb-ec c7 c2 3c 57 55 3c c0 .<..;......<WU<. 00b0 - dc 24 ac 56 18 76 c1 7d-e5 65 5f e4 ec 27 6f 62 ..V.v.}.e_…'ob
00c0 - 9a f5 d5 db 68 04 02 74-44 39 13 09 0a b5 35 f5 …h…tD9…5.
00d0 - d4 ec 25 5a 0c 83 94 66-d7 2d a6 da 8c b3 06 aa …%Z…f.-…
Start Time: 1594773813 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate)
Hello all. Can anyone offer some input on this matter?
Strange since 5buckstraffic… is running (and working) behind Cloudflare. The only difference i can spot is that 5buckstraffic… has a valid DV certificate.
Are you sure that your (vHost) configuration is correct?
The problem has been resolved. It seems when the CloudFlare account was created the A record IP was no auto populated correctly. Upon updating the IP it works now. Thank you for your help.
Your site will be still insecure as long as you do not have a proper certificate in place.
What do you mean? I have a self signed certificate as CloudFlare instructs for Full encryption mode. Why will my site not be secure?
“Full” is only very partially secure. Only “Full strict” is secure and cannot be intercepted (at least not without compromising a CA).
On “Full” Cloudflare is not verifying the certificate (which it obviously cannot do with a self-signed certificate) and hence everyone who can intercept the connection can place their own certificate.
Switch to “Full strict” and configure a proper certificate if you want a secure site.
I see. Ok thank you for explaining. Have a good day.