Error 525 - need clarification

I added a new site to CloudFlare and am getting a 525 error. The URL is From what I understand even though I am using CF’s Full SSL/TLS encryption mode I still need to install a NON self signed ssl certificate on my server as well? Is this correct? And if correct then why would I use CF’s cert if I still need to get my own?

With Full you need a certificate, but it is not validated so can be self signed, expired etc. Full strict requires a certificate that is valid (either issued by a trusted CA or a Cloudflare Origin Certificate. From the documentation:

Full SSL: Your origin supports HTTPS, but the certificate installed does not match your domain or is self-signed. Cloudflare will connect to your origin over HTTPS, but will not validate the certificate.

Full (strict): Your origin has a valid certificate (not expired and signed by a trusted CA or Cloudflare Origin CA) installed. Cloudflare will connect over HTTPS and verify the cert on each request.

You need to verify the configuration on your origin as 525 generally means your SSL configuration is not valid.

Using a valid certificate in a Full Strict configuration provides the greatest level of security end-to-end, and is the recommended configuration.

Check the CommunityTip on 525 errors:

Thank you for your reply.

Our installed SSL is self-signed so it should work. The origin supports SSL, installed SSL is self-signed and TLS 1.2 is the default.

But the connection is still failing. Perhaps the problem is with CloudFlare?

To illustrate TLS 1.2 and the SSL is self-signed on the origin server.

Certificate Information:
Common Name: 5dollarmaturedriving. com
Subject Alternative Names: 5dollarmaturedriving. com, mail. 5dollarmaturedriving . com, www. 5dollarmaturedriving. com, webdisk. 5dollarmaturedriving. com, webmail. 5dollarmaturedriving. com, cpanel. 5dollarmaturedriving . com
Valid From: July 13, 2020
Valid To: July 13, 2021

openssl s_client -connect -servername 5dollarmaturedriving. com
depth=0 CN = 5dollarmaturedriving. com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = 5dollarmaturedriving. com
verify return:1

Certificate chain
0 s:/CN=5dollarmaturedriving. com
i:/CN=5dollarmaturedriving. com

Server certificate
subject=/CN=5dollarmaturedriving. com
issuer=/CN=5dollarmaturedriving. com

No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 1718 bytes and written 359 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7CF446203B7B375D4AEE74991A7927401719A77DD71194E70122874F22645769
Master-Key: 1B2409080D6BE4327E885387425008770FB998676A3C918AA614D2E86E2231DD97689D7B3DC76FEC77D0249309F2701F
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 20 e3 55 cc 8b d5 51 87-10 f3 53 9c 80 ec 93 ee .U…Q…S…
0010 - 12 a7 bb cc 20 8c a4 cf-47 ef fc 15 6f cd c1 71 … …G…o…q
0020 - 5e 2a 3f 98 1b 74 09 1d-b0 06 5e dd 5b 1a 6d 63 ^*?..t…^.[.mc
0030 - 19 8e 39 1f 6d d6 4a 02-89 df 49 e3 bd 42 9d 5b …9.m.J…I…B.[
0040 - cb 04 37 5a 2c 41 55 35-4f fa 24 7f 0b bd 55 17 …7Z,AU5O....U. 0050 - 9b 2e 5c 56 0b bb e2 da-1d 4f ca 17 93 7c 16 4d ..\V.....O...|.M 0060 - a7 ec 91 52 17 d5 d5 c6-9c cc 3f 78 42 bc 21 23 ...R......?xB.!# 0070 - 04 f9 98 55 c8 e4 4e 67-bf 00 f7 7e 36 09 c9 bc ...U..Ng...~6... 0080 - ac cc 94 3b ba 8e fc f4-50 a7 40 b3 bb 9d bb 74 ...;[email protected] 0090 - ad 43 d9 f2 07 1c b4 07-49 db b2 30 f2 df ab c3 .C......I..0.... 00a0 - cb 3c e5 b2 3b ca d4 bb-ec c7 c2 3c 57 55 3c c0 .<..;......<WU<. 00b0 - dc 24 ac 56 18 76 c1 7d-e5 65 5f e4 ec 27 6f 62 ..V.v.}.e_…'ob
00c0 - 9a f5 d5 db 68 04 02 74-44 39 13 09 0a b5 35 f5 …h…tD9…5.
00d0 - d4 ec 25 5a 0c 83 94 66-d7 2d a6 da 8c b3 06 aa …%Z…f.-…

Start Time: 1594773813
Timeout   : 7200 (sec)
Verify return code: 18 (self signed certificate)

Hello all. Can anyone offer some input on this matter?

Strange since 5buckstraffic… is running (and working) behind Cloudflare. The only difference i can spot is that 5buckstraffic… has a valid DV certificate.

Are you sure that your (vHost) configuration is correct?

The problem has been resolved. It seems when the CloudFlare account was created the A record IP was no auto populated correctly. Upon updating the IP it works now. Thank you for your help.

Your site will be still insecure as long as you do not have a proper certificate in place.

What do you mean? I have a self signed certificate as CloudFlare instructs for Full encryption mode. Why will my site not be secure?

“Full” is only very partially secure. Only “Full strict” is secure and cannot be intercepted (at least not without compromising a CA).

On “Full” Cloudflare is not verifying the certificate (which it obviously cannot do with a self-signed certificate) and hence everyone who can intercept the connection can place their own certificate.

Switch to “Full strict” and configure a proper certificate if you want a secure site.

I see. Ok thank you for explaining. Have a good day.

This topic was automatically closed after 30 days. New replies are no longer allowed.