Https not working Error 525

my site is Malfunction not working yet
I see an error 525
www.live-yalla-shoot.com

Yes it was working
I wanted to make a site transfer on a subdomain
Since this time it is not working

It sounds like something in this process changed your server’s SSL configuration.

A 525 error is typically caused by a configuration issue in the origin web server when its SSL certificate is not properly set up. Review the suggestions in this Community Tip for advice & insight.

1 Like

I tried a lot but it didn’t work
Note that I am linked to a blogger and not a host

As mentioned, a 525 is an SSL/TLS problem at the server. I suggest you use the “Pause Cloudflare on Site” option from the Overview page, lower right corner, then wait five minutes for it to take effect.

After it’s Paused, get your site back up and running with HTTPS and you should be all set to Un-Pause Cloudflare.

1 Like

The service has already been discontinued from here
Turn off Cloudflare on site

I waited for ten minutes and the site was back up and running

But after activating it again, same problem appears

With HTTPS?

1 Like

Yes it already works with https

But now it no longer works after activating again

I am reviewing this for you.

1 Like

The reason for the 525 is because we are expecting a trusted certificate on the origin. You may want to adjust your settings to Full SSL if you have a certificate on your origin. Otherwise, ensure that you have the origin certificate generated on Cloudflare uploaded to your origin. Reference Full Strict SSL

That’s interesting. The OP said it was working with HTTPS with Cloudflare paused. That shouldn’t work if it’s not a trusted certificate on the origin.

1 Like

That would still leave the site insecure. In that case it would be wiser to fix the certificate, but there should not be a certificate issue in the first place for the reasons mentioned by @sdayman.

You can have a certificate on your origin but if you are using SSL strict, you will need to ensure that the certificate is signed by a known CA. If you run the following command:

$ openssl s_client -connect <serverIP>:443 -servername www.live-yalla-shoot.com | openssl x509 -noout -text

Response received: …Expecting: TRUSTED CERTIFICATE
As per,

That would still leave the site insecure.

No, that just means we will check for certificate validity and not signed CA. Reference: Full SSL Option

Well, an unverified certificate is insecure, which brings us back to an insecure site :wink:

Apologies for not clarifying what I am referring to here. When using Cloudflare with a full (strict) SSL:

Eyeball -> HTTPS (Universal Certificate at the edge) -> Cloudflare edge -> HTTPS (signed certificate by CA | Cloudflare origin certificate) -> Origin

The 525 is caused by Cloudflare unable to verify the certificate on the origin according to the above scheme. However, if this is set to full SSL mode - if a valid certificate exists on the origin but is not signed by a known CA (purchased) then till will work. It does not have anything to do with the Client and Cloudflare, that certificate exists. The issue is between Cloudflare and the Origin.

No worries, but the issue is a certificate not recognised by Cloudflare is not a valid certificate in the first place.

As @sdayman already mentioned, the OP claims to have a valid certificate, so there should not be a 525 or 526 but things should load. Considering they do not, there’s either an issue with Cloudflare or - more likely - we did not get the full story here :wink:

Bottom line as always :slight_smile: fix your certificate and set it to Full Strict and you’ll have a properly secured site :slight_smile:

2 Likes

Hello
I did not use an external certificate from the cloudflare

I am using the certificate that came with it

True. Plus a certificate can be valid (expiry date) but not signed by a known CA. This will also constitute an issue. If the site is reachable via HTTPS without Cloudflare in the misc, then setting the SSL mode to full will resolve the issue. As specified in our support docs:

Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

The issue is tied to the last sentence in the above quote.

Valid is not only the validity date though, but also whether it is recognised by the configured trust store, which in Cloudflare’s case is publicly recognised CAs and their own Origin CA. If it’s not part of that it’s not valid.

It will “resolve” the issue but it will be just as “secure” as clicking continue upon getting a self-signed certificate instead of the actual one when logging into your online banking account :wink:

So yeah, if you are not on Full Strict you don’t have a secure setup and it’s really not hard to do that.

I assume we haven’t got the whole story here and the questions @sdayman asked three hours ago were not accurately answered.

Plus whether the hostnames match of course.

valid = (CA + date + CN/SAN)