What is the name of the domain?
thiswebsiteorg
What is the error number?
What is the error message?
Error 525 SSL handshake failed
I’m trying to host my own website on my home server, using AAPANEL with Nginx. I have a Cloudflare domain pointing to my public IP, and ports 80 and 443 are open. I’ve checked my firewall and ISP. I’ve generated an origin certificate in Cloudflare, which I’ve successfully uploaded to my Nginx configuration. Cloudflare is set to Full (Strict) mode, however, when I force HTTPS, I always get a 525 error.
this is my nginx config:
server
{
listen 80;
listen 443 ssl http2;
server_name this.website.org;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/this.website.org;
#CERT-APPLY-CHECK--START
# Configuration related to file verification for SSL certificate application - Do not delete
include /www/server/panel/vhost/nginx/well-known/this.website.org.conf;
#CERT-APPLY-CHECK--END
#SSL-START SSL related configuration, do NOT delete or modify the next line of commented-out 404 rules
#error_page 404/404.html;
#HTTP_TO_HTTPS_START
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
#HTTP_TO_HTTPS_END
ssl_certificate /www/server/panel/vhost/cert/this.website.org/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/this.website.org/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
error_page 497 https://$host$request_uri;
#SSL-END
#ERROR-PAGE-START Error page configuration, allowed to be commented, deleted or modified
error_page 404 /404.html;
error_page 502 /502.html;
#ERROR-PAGE-END
#PHP-INFO-START PHP reference configuration, allowed to be commented, deleted or modified
include enable-php-83.conf;
#PHP-INFO-END
#REWRITE-START URL rewrite rule reference, any modification will invalidate the rewrite rules set by the panel
include /www/server/panel/vhost/rewrite/this.website.org.conf;
#REWRITE-END
# Forbidden files or directories
location ~ ^/(\.user.ini|\.htaccess|\.git|\.env|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
# Directory verification related settings for one-click application for SSL certificate
location ~ \.well-known{
allow all;
}
#Prohibit putting sensitive files in certificate verification directory
if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {
return 403;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
error_log /dev/null;
access_log /dev/null;
}
location ~ .*\.(js|css)?$
{
expires 12h;
error_log /dev/null;
access_log /dev/null;
}
access_log /www/wwwlogs/this.website.org.log;
error_log /www/wwwlogs/this.website.org.error.log;
}
Did you added the root Cloudflare Origin CA Cert ECC or RSA .pem to your /etc/ssl/ and restarted Nginx? 
Which version are you running?
Actually, the generated Cloudflare Origin CA Certificate, you don’t have to combine root and generated one to get “bundle” - no need for fullchain (the generated one is either self-signed).
Which version are you running?
Im using Nginx 1.24
Did you added the root Cloudflare Origin CA Cert ECC or RSA
.pemto your/etc/ssl/and restarted Nginx?
Now i did,ssl_trusted_certificate /etc/ssl/certs/origin_ca_rsa_root.pem;
the problem remains.
Actually, no need for this line in the config / vhost file for your domain.
I am sorry to hear this.
Let’s break down the steps to troubleshoot to help you fix this one, worked for me:
- Install Nginx
- Install PHP
- Download Cloudflare Origin CA Root ECC certificate
- Put it into the
/etc/ssl/certsascloudflare_origin_ca_root.cer - Generate Cloudflare Origin CA Certificate → ECC from the Dashboard for your zone
- Save the certificate part as
mydomain.com.crtand save the privatekey asmydomain.com.key - Put both files into the directory onto your Web server where it’s reachable from the root and
www-datauser for your Website (e.g./var/www/public_html/mydomain.com/ssl/), or via some kind of cPanel or ISPConfig or Apanel, paste “certificate” field to the “certificate” (no bundle) and “key” field to the “key” - Save certificate via the cPanel, ISPConfig, Apanel etc.
- Restart the Nginx
- Make sure
Minimum TLSis set to1.3at Cloudflare (otherwise below config example would fail) - Cross-check your nginx
mydomain.vhostfile, should be like:
server {
listen *:80;
listen [::]:80;
listen *:443 ssl;
listen [::]:443 ssl;
http2 on;
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers off;
ssl_certificate /var/www/mydomain.com/web/ssl/mydomain.com.hr.crt;
ssl_certificate_key /var/www/mydomain.com/web/ssl/mydomain.com.key;
server_name mydomain.com www.mydomain.com;
root /var/www/mydomain.com/web/;
disable_symlinks if_not_owner from=$document_root;
// --> change here if you're doing HTTP->HTTPS on the origin host and non-www to www?
if ($scheme != "https") {
rewrite ^ https://$http_host$request_uri? permanent;
}
if ($http_host = "mydomain.com") {
rewrite ^ $scheme://www.mydomain.com$request_uri? permanent;
}
index index.html index.htm index.php index.cgi index.pl index.xhtml;
error_page 400 /error/400.html;
error_page 401 /error/401.html;
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 405 /error/405.html;
error_page 500 /error/500.html;
error_page 502 /error/502.html;
error_page 503 /error/503.html;
location ~ \.php$ {
try_files /1e9a686ef8578fe764d2d51ec3497b01.htm @php;
}
location @php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/lib/phpX.Y-fpm/webXYZ.sock; --> change here if using php-fpm?
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_read_timeout 300;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
location / {
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
fastcgi_read_timeout 300;
}
...
}
- Make sure you’ve set Cloudflare IPs in your log files inside
nginx.conffile:
# CloudFlare
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
# real_ip_header X-Forwarded-For;
- Make sure Cloudflare is allowed (if you’re using UFW or some other firewall, allow Cloudflare IPs):
- Restart Nginx
- Double-check if Cloudflare SSL/TLS is set to Full (Strict)
1 Like
This topic was automatically closed after 15 days. New replies are no longer allowed.