Error 525 on domains using Origin CA certs

Yesterday, I started experiencing 525 errors on two of my domains which had previously been working fine. Both domains are using Cloudflare’s Origin CA certificates, set to “Full (Strict)”, and had never had errors prior to yesterday afternoon.

Since discovering the issue, I’ve tried:

  • Revoking, re-issuing, and re-installing Origin CA certificates for both domains.
  • Replacing Origin CA certs with certs from Let’s Encrypt on my origin server.
  • Replacing Origin CA certs with certs from cPanel AutoSSL on my origin server.
  • Setting the TLS setting to “Full” (not strict).

All of these result in the same 525 errors. I’ve checked my DNS records, and they resolve correctly. I’ve also verified that my origin server is returning the correct Origin CA cert by pausing Cloudflare proxies on the appropriate DNS records, then running an SSL test on the domains once the changes to DNS have propagated.

The only solution that has gotten rid of the 525 error is setting the TLS setting to “Flexible”, but I do not want to keep it that way.

I’ve already read the pinned 525 post, which is where I derived many of my troubleshooting steps from. What’s odd is that my primary domain is hosted on the same origin server and is not throwing 525 errors.

Any ideas?

I have the same issue. Since a week and I still don’t know why I having such as problem or how to fix it!!

1 Like

Have you gotten the solution? " hopefully you did

Nope, still waiting on a solution.

Bumping for visibility, seems like only someone at Cloudflare will be able to help with this one.

Sorry, didn’t know there’s a rule against bumping. I’ll keep that in mind for the future.

As I said, I’ve read that post and tried everything. Here’s my cURL output:

* Rebuilt URL to: [MY_DOMAIN]
* Connecting to hostname: [MY_IP]
*   Trying [MY_IP]...
* TCP_NODELAY set
* Connected to [MY_IP] ([MY_IP]) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2228 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: Aug 25 02:18:00 2022 GMT
*  expire date: Aug 21 02:18:00 2037 GMT
*  issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* Using Stream ID: 1 (easy handle 0x560a84a21620)
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> GET / HTTP/2
> Host: iorl.info
> User-Agent: curl/7.58.0
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< HTTP/2 200 
< x-powered-by: PHP/7.1.33
< content-type: text/html; charset=UTF-8
< date: Wed, 31 Aug 2022 13:49:02 GMT
< server: LiteSpeed
< strict-transport-security: max-age=31536000
< x-xss-protection: 1; mode=block;
< x-content-type-options: nosniff
< vary: User-Agent
< alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
< 
{ [12445 bytes data]
* Connection #0 to host [MY_IP] left intact

Upon further examination, it seems there might be a config issue with TLS at my hosting provider. My hosting provider claims there’s no issue on their end, so if anyone can help me decipher the exact issue then maybe I can forward it to them.

As far as I’m aware there is no such rule here. Repeatedly bumping the same post is not useful but a single bump if no one has picked it up is generally OK.


In this case, is does not sound like a problem with the Origin Cert. If there was an issue there it should result in a 526 not a 525.

I would agree with this, someone here may be able to help advise on that but if not then it is a bit outside the general scope here, unfortunately.

1 Like

It’s just particularly strange because the domains in question never had an issue prior to now, and they’re hosted on the exact same account and IP as a domain that works perfectly fine with Origin CA. I’ve also been having some issues with Cloudflare tunnel, and I see a pretty high number of very similar stability-related posts here recently, so I’m not ruling CF out as the culprit just yet.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.