Error ssl handshake failed 525

my website have been 525 ssl error, I have seen Community Tip - Fixing Error 525: SSL handshake failed , I think in my server is all right , so I don’t know how to solve it

can anyone help me ? I can provide the information needed

When you pause Cloudflare, is your site working over HTTPS?

yes, but browser warning me it is untrusted ssl certificates

Unless you are using a Cloudflare Origin CA certificate, I would not call that working.

Can you fix that and see if it resolves your 525 error?

1 Like

yeah, I use Cloudflare Origin Certificates.

if I use use DNS only * mode and change to use my own SSL certificate, the website will be accessible normally

what do i need to do next?

Have you verified ideas 5, 7 and 9 in the Fixing Error 525 Community Tip in the #tutorial section?

ideas 5: I don’t know how to review the cipher suites

ideas 7: I use nginx, my log level is warn, i can’t find error about ssl at error_log file

ideas 9: I got this, I think it looks normal

* Connecting to hostname: 150.1xx.1xx.31
*   Trying 150.1xx.1xx.31:443...
* Connected to 150.1xx.1xx.31 (150.1xx.1xx.31) port 443 (#0)
* ALPN: offers h2
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

are you here ?

Try the following cURL direct to your origin:

curl https://example.com --connect-to ::123.123.123.123 -svo /dev/null --compressed

Replace example.com with your website and 123.123.123.123 with your origin IP address. It may be your cURL command is not sending the correct host header and or SNI as Cloudflare does, hiding the problem at your origin from you.

I got this, what wrong with it?

* Connecting to hostname: 150.1xx.1xx.31
*   Trying 150.1xx.1xx.31:443...
* Connected to 150.1xx.1xx.31 (150.1xx.1xx.31) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [811 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

I suspect your server is not responding correctly to SNI (Server Name Indication). I’m not sure what cURL command you are running because you haven’t shared it, but not all builds of cURL will send SNI depending on the underlying TLS stack it was built with, I believe.

Another way of testing is to use openssl directly.

With SNI:

Replace 123.123.123.123 with your origin IP and example.com with your hostname

openssl s_client -connect 123.123.123.123:443 -servername example.com

Without SNI

openssl s_client -connect 123.123.123.123:443

Cloudflare will always send an SNI matching your hostname, so if your origin doesn’t complete the handshake you will get an Error 525.

with SNI

fars.ee/toVb

without SNI

fars.ee/qfa5

Without knowing exactly what hostname & IP you are testing it’s tricky to debug - can you DM me the details please?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.