Error 525 setting up cloudflared https tunnel

D.W · December 1, 2024, 7:39pm

What is the name of the domain?

cloudtest dimentech com

What is the error number?

525

What is the error message?

SSL handshake failed

What is the issue you’re encountering

Unable to access website via cloudflared tunnel

What are the steps to reproduce the issue?

Verified that local webserver is running, has correct SSL certificate, and has appropriate ciphers. The Apache configuration is identical to a public server I host. I followed the directions at eddiezme/working-around-cgnat/

I see the tunnel as active at Cloudflare. I don’t know of a way to see what error Cloudflare is getting when their side attempts the https connection to my local server. HTTPS works just fine locally to the server.

The SSLProtocal and SSLChipherSuite are:
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”

Laudian · December 1, 2024, 8:01pm

The easy solution is to use HTTP instead of HTTPS - there’s not much of a security concern if the tunnel and webserver are running on the same machine. Just make sure the webserver only responds to requests from localhost.

If you want to use HTTPS, can you share the tunnel’s ingress rules?

D.W · December 1, 2024, 8:25pm

I was trying to use HTTPS because the SSL/TLS settings for the domain are set to “automatic”. I had set the ingress rules to HTTP originally but switched due to thinking the SSL/TLS automatic setting was an inssue.

config.yml rules (minus the tunnel and credential file lines) are:

ingress:

hostname: cloudtest.dimentech.com
service: https://127.0.0.1:443
service: http_status:404

Laudian · December 1, 2024, 8:32pm

Could you set the originServerName option? If that alone doesn’t work, could you also add the httpHostHeader option? Origin configuration · Cloudflare Zero Trust docs

This does not apply to the tunnel. I would personally just change it HTTP, as it really doesn’t make much sense to encrypt the traffic on the web server only to have it decrypted by the tunnel to encrypt it again.

D.W · December 2, 2024, 12:31pm

OK. Changed to http but still getting the 525 error. Updated config file below. I have verified using wget on the local server that “http://127.0.0.1” is returning the webpage I expect.

ingress:

hostname: cloudtest.dimentech.com
service: http://127.0.0.1
service: http_status:404

Laudian · December 2, 2024, 12:33pm

Can you just doublecheck that the DNS record for cloudtest.dimentech.com actually points to your tunnel?

D.W · December 2, 2024, 3:50pm

The CNAME record is set to thetunnelid.cgargotunnel.com and Proxy is ON
I see the tunnel status as active

Oddly, now I’m seeing “Error 1016 Origin DNS Error”. I had renentered the full CNAME record and made a typo. I fixed the typo but this is what I’m getting now. Do I have the wrong domain name for the CNAME destination?

Laudian · December 2, 2024, 4:36pm

is that just a typo? It’s cfargotunnel.com. But this typo would be consistent with the error you see.

D.W · December 2, 2024, 6:31pm

Thank you! The webpage I was basing my setup off of had “cg” not “cf”. That, combined with my attempt at SSL was the root cause of my problems. With SSL removed and now with the correct spelling, it works.

Thank you!

Topic		Replies	Views
HTTPS Connection Cloudflare Tunnel - Handshake Error Cloudflare Tunnel CloudflareTunnel	2	2046	May 23, 2022
525: SSL handshake failed Security dns , dash-ssl-tls	6	3379	October 23, 2018
Error 525 SSL handshake failed You Security	2	3875	March 11, 2022
"www.mathforschool.xyz redirected you too many times" Security	9	1796	August 31, 2022
Community Tip - Fixing Error 525: SSL handshake failed Tutorial CommunityTip	0	237482	November 13, 2018