Error 525 SSL Handshake Error with Origial Server Certificates


I have been working on getting the SSL to work on my site for a week now without success. I use an unmanaged Ubuntu server from A2hosting.

I used Cloudflare SSL/TSL facility to generate the origin certificates and copied both the certificates and the private key files to the server and modified the Apache2 config file to point to the certificates and the key file. Setting SSL mode to full in Cloudflare, I have Error 525 SSL handshake fail. The error log has it as Connection reset by peer: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!].

I probably did not do something right in the Apache2 config file, but I don’t know what it can be.

After working on it for a week, I am stuck. Please help. Thank you.

Here are the details:

Ubuntu version:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial


Error 525
Ray ID: 575038bf4862e7a0 • 2020-03-16 17:33:51 UTC
SSL handshake failed
Apache2 error log file:
[Mon Mar 16 10:33:51.915246 2020] [ssl:debug] [pid 12749:tid 139994245043968] ssl_engine_kernel.c(2096): [client] AH02043: SSL virtual host for servername found
[Mon Mar 16 10:33:51.943305 2020] [ssl:debug] [pid 12749:tid 139994245043968] ssl_engine_io.c(1228): (103)Software caused connection abort: [client] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Mar 16 10:33:51.943338 2020] [ssl:info] [pid 12749:tid 139994245043968] [client] AH01998: Connection closed to child 78 with abortive shutdown (server
[Mon Mar 16 10:39:43.598969 2020] [ssl:info] [pid 12749:tid 139994234554112] [client] AH01964: Connection to child 79 established (server
[Mon Mar 16 10:39:43.599323 2020] [ssl:debug] [pid 12749:tid 139994234554112] ssl_engine_kernel.c(2124): [client] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Mon Mar 16 10:39:43.696143 2020] [ssl:debug] [pid 12749:tid 139994234554112] ssl_engine_io.c(1228): (104)Connection reset by peer: [client] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Mar 16 10:39:43.696178 2020] [ssl:info] [pid 12749:tid 139994234554112] [client] AH01998: Connection closed to child 79 with abortive shutdown (server

Apache2 config file:

            ServerAdmin [email protected]
            DocumentRoot /home/szx02f/workspace/esyscom/public

            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel info ssl:debug
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            #   SSL Engine Switch:
            #   Enable/Disable SSL for this virtual host.
            SSLEngine on

            SSLCertificateFile /etc/ssl/certs/cloudflare.pem
            SSLCertificateKeyFile /etc/ssl/private/cloudflare.key

            #   Server Certificate Chain:
             SSLCertificateChainFile /etc/ssl/certs/ca-certificates.crt

            #   Certificate Authority (CA):
            SSLCACertificatePath /etc/ssl/certs/
            #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt << not sure what this is

           SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars


Verify port 443 is allowed

$:ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To Action From

80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
7822 ALLOW IN Anywhere
3000 ALLOW IN Anywhere
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
7822 (v6) ALLOW IN Anywhere (v6)
3000 (v6) ALLOW IN Anywhere (v6)

Verify a certificate:
:openssl verify -CAfile /etc/ssl/certs/cloudflare.pem /etc/ssl/certs/ca-certificates.crt : /etc/ssl/certs/ca-certificates.crt: OK

Verify that a private key matches a certificate
$(openssl x509 -noout -modulus -in /etc/ssl/certs/cloudflare.pem | openssl md5 ;openssl rsa -noout -modulus -in /etc/ssl/private/cloudflare.key | openssl md5)| uniq
(stdin)= 40b94417a322d49f4e97896584b80fe2

Check Cloudflare TLS/SSL browser support:
$:curl -svo /dev/null --tlsv1.1

  • Rebuilt URL to:
  • Trying…
  • Connected to ( port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 748 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.1 / ECDHE_ECDSA_AES_128_CBC_SHA1
  •    server certificate verification OK
  •    server certificate status verification SKIPPED
  •    common name: (matched)
  •    server certificate expiration date OK
  •    server certificate activation date OK
  •    certificate public key: EC
  •    certificate version: #3
  •    subject: C=US,ST=CA,L=San Francisco,O=Cloudflare\, Inc.,
  •    start date: Fri, 17 Jan 2020 00:00:00 GMT
  •    expire date: Fri, 09 Oct 2020 12:00:00 GMT
  •    issuer: C=US,ST=CA,L=San Francisco,O=CloudFlare\, Inc.,CN=CloudFlare Inc ECC CA-2
  •    compression: NULL
  • ALPN, server accepted to use http/1.1

GET / HTTP/1.1
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 525 Origin SSL Handshake Error
< Date: Mon, 16 Mar 2020 18:02:49 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d7447490586c581a0e078dc8bda3707291584381769; expires=Wed, 15-Apr-20 18:02:49 GMT; path=/;; HttpOnly; SameSite=Lax; Secure
< Cache-Control: no-store, no-cache
< Expect-CT: max-age=604800, report-uri=“”
< Server: cloudflare
< CF-RAY: 5750632aa9fbeae7-LAX
{ [206 bytes data]

So if you set that hostname to :grey: in Cloudflare DNS, it still doesn’t work?

I set DNS to proxied, the orange cloud. If I set it to DNS only, isn’t that bypassing the security the Cloudflare provided?? If I set to DNS only, I still get the same error:

An error occurred during a connection to SSL received a malformed Handshake record.


If you’re still getting an error when it’s set to :grey:, Cloudflare won’t be able to fix that. You need to troubleshoot your server before setting it back to :orange:.

Hi Sdayman,

Yes, I know Cloudflare won’t be able to fix the problem. There is something wrong with the apache2 config file relating to the certificates. I followed everything that Cloudflare suggested on setting up the server. I just don’t know what is wrong with it. I provided the config file in my original questions. Thanks for replying

stackoverflow is a better source for troubleshooting server errors. For now, see if you can roll back the changes you made.

Okay. Thanks.

1 Like

I think I may know the problem…the certificate max size is probably need to be set larger. It is probably a command that can be put into the Apache2 config file to fix this 525 SSL Handshake error. Anyone know how to set the certificate max size?

Problems solved. This is for FYI for other who may have similar problems.

The default key length is 2048. If your key is longer than that, it will caused this 525 SSL Handshake error. This is because the browser only takes 2048 and the SSL message look malform. Use this command to check your key:

$ openssl x509 -text -in your-certificates.crt -noout

Version: 3 (0x2)
Serial Number: 6828503384748696800 (0x5ec3b7a6437fa4e0)
Signature Algorithm: sha1WithRSAEncryption
Not Before: May 5 09:37:37 2011 GMT
Not After : Dec 31 09:37:37 2030 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)

Check the Public-Key length.

If you have this problem, check your apache2.cfg and go through the verification step I took (listed on the original question above). It is likely that you don’t have valid certificate. If you use Cloudflare to generate the certificate and key file, you can use Cloudflare Certificate pem file for SSLCertificateFile, SSLCertificateChainFile, and SSLCACertificateFile. This should fix the 525 SSL handshake error.

1 Like