Error 525 When SSL Set To FULL

I have 6 domains on CloudFlare and I just noticed that two of them are set to SSL/TLS > OVERVIEW > FLEXIBLE and not FULL.

When I change them they return:

Error 525 Ray ID: 56336f114e8671e3 • 2020-02-11 04:03:35 UTC

SSL handshake failed

You

Browser

Working

Chicago

Cloudflare

Working

www.commodore.ca

Host

Error

All of my other sites (www.ElectricCadi.com, www.MyCeliacWorld.com and others) are fine with FULL. All are the same WordPress build and none have their own cert (which I thought was a requirement for FULL, but apparently it not).

I read a few other posts on the subject but did not find an answer beyond, this is a problem with your host which does not help me very much :slight_smile:

Thoughts?

Just the one: All websites should have TLS/SSL enabled at the origin for secure communication. The 525 indicates that this is not the case. Some hosts have some sort of certificate on the server, but a generic one that doesn’t match your domain. Plain “Full” will accept this, but Strict will not.

If you set that hostname to :grey: and wait 5 minutes for DNS to propagate, you can experiment with SSL on the host.

Thanks for the response SDayman;

I have DNS set to PROXIED now but FULL is not functioning as described.

Can you confirm that to get FULL to work the host server MUST have a cert?

Thanks

1 Like

With Full, you need a certificate on the origin but we don’t validate it, a self-signed cert generated from the cloudflare dash and uploaded to your site it fine. Details on all modes here, https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options. I did a quick check of the 3 sites mentioned in this thread and all load with https, if you’re not seeing that, perhaps try from a different browser, an incognito window, a mobile device, or clear cache and try again.

1 Like

Thanks cloonan.

I am seeing HTTPS and happy SSL on all sites. My issue is that sites like www.URTech.ca and www.ElectricCadi.com are functional with FULL but two other sites www.PartisanIssues.com and www.Commodore.ca will only function with FLEXIBLE.

This is clearly not a crisis but if could get all my sites to the same level, I would be happier.

This is NOT a big deal but I hate mysteries. Often they are hiding something more serious.

If you have any ideas, let me know otherwise I will just wrap this one up.

Thanks.

I’ll take a look at the cert on the one set to flexible, guessing it’s somehow different than the others.

1 Like

Hi @calgarytech, the two that are having issues with Full, and a third site also set to flexible all share the same IP, the sites set to Full also all share a (different) IP.

I’m guessing it’s TLS that is causing the issue with the three that are set to Flexible. On one of those three, can you set TLS 1.3 to off?

Great work @cloonan . It would appear that I transposed two numbers in the IP of www.Commodore.ca and www.PartisanIssues.com . I have no idea how the sites are working because they are all hosted by GoDaddy on the IP that www.URTech.ca is on, but I will correct this and see what happens.

1 Like

So far so good. THANKS for that great catch.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.