Error 526 despite valid ssl

lordkitsuna · February 24, 2023, 2:08am

Answer these questions to help the Community help you with Security questions.

What is the domain name?
kitsuna.net

Have you searched for an answer?

yes

Describe the issue you are having:

Cloudflare even in full non-strict mode is telling me that my SSL is invalid, after testing the SSL certificate using a non-proxy subdomain all tests passed and there is nothing wrong with the certificate

What error message or number are you receiving?

526

What steps have you taken to resolve the issue?

restart origin nginx
change from full strict to just full
verify ssl cert is valid

Was the site working with SSL prior to adding it to Cloudflare?
it was working on Cloudflare just yesterday

What are the steps to reproduce the error:

load https://proxitox.kitsuna.net
get error
load https://kitsuna.net (non proxied) see no error

Have you tried from another browser and/or incognito mode?

yes

cscharff · February 24, 2023, 2:25am

You have an issue with the SSL certificate on your origin/the origin config. You can unproxy the record to confirm.

curl -Ikv https://proxitox.kitsuna.net --resolve proxitox.kitsuna.net:443:104.218.233.4
* Added proxitox.kitsuna.net:443:104.218.233.4 to DNS cache
* Hostname proxitox.kitsuna.net was found in DNS cache
*   Trying 104.218.233.4:443...
* Connected to proxitox.kitsuna.net (104.218.233.4) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B417:SSL routines:ST_CONNECT:sslv3 alert illegal parameter
* Closing connection 0

curl -Ikv https://kitsuna.net --resolve kitsuna.net:443:104.218.233.4
* Added kitsuna.net:443:104.218.233.4 to DNS cache
* Hostname kitsuna.net was found in DNS cache
*   Trying 104.218.233.4:443...
* Connected to kitsuna.net (104.218.233.4) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.kitsuna.net
*  start date: Feb  6 03:04:29 2023 GMT
*  expire date: May  7 03:04:28 2023 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: HEAD]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: kitsuna.net]
* h2h3 [user-agent: curl/7.86.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x13580da00)
> HEAD / HTTP/2
> Host: kitsuna.net
> user-agent: curl/7.86.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: nginx/1.22.1
server: nginx/1.22.1
< date: Fri, 24 Feb 2023 02:25:17 GMT
date: Fri, 24 Feb 2023 02:25:17 GMT
< content-type: text/html
content-type: text/html
< content-length: 752
content-length: 752
< last-modified: Mon, 27 Jan 2020 18:40:10 GMT
last-modified: Mon, 27 Jan 2020 18:40:10 GMT
< vary: Accept-Encoding
vary: Accept-Encoding
< etag: "5e2f2e8a-2f0"
etag: "5e2f2e8a-2f0"
< accept-ranges: bytes
accept-ranges: bytes

lordkitsuna · February 24, 2023, 3:05am

Forgive me if I’m being a little ignorant here but where is it that you see the issue? As far as I can see from your curl output of my domain directly on the non-proxied URL it says the certificate is just fine and it connects without issue.

Which is exactly the issue I’m having, if the domain is not proxied it works just fine and the certificate comes back as valid from multiple SSL testing locations. But when proxied Cloudflare claims that it is invalid. the exact same certificate is used on proxitox.kitsuna.net as kitsuna.net as well as same nginx and config other than the full domain name of course. and it’s a wildcard certificate for the domain. it was also working fine yesterday it just suddenly broke with no changes on my side

cscharff · February 24, 2023, 3:12am

There are 2 curl commands direct to your origin. The first for the host name returning a 526 error which fails with an SSL issue.

lordkitsuna · February 24, 2023, 8:41am

if anyone else has this same issue i found the solution. i removed my servers preferences for ssl ciphers. in my nginx config i had

ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;

i used this config for years without issues. for whatever reason this is now broken. removing the ciphers preferences restores service

system · February 27, 2023, 8:41am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.