my site is Malfunction not working yet
I see an error 525
my site is Malfunction not working yet
Yes it was working
I wanted to make a site transfer on a subdomain
Since this time it is not working
It sounds like something in this process changed your server’s SSL configuration.
A 525 error is typically caused by a configuration issue in the origin web server when its SSL certificate is not properly set up. Review the suggestions in this Community Tip for advice & insight.
I tried a lot but it didn’t work
Note that I am linked to a blogger and not a host
As mentioned, a 525 is an SSL/TLS problem at the server. I suggest you use the “Pause Cloudflare on Site” option from the Overview page, lower right corner, then wait five minutes for it to take effect.
After it’s Paused, get your site back up and running with HTTPS and you should be all set to Un-Pause Cloudflare.
The service has already been discontinued from here
Turn off Cloudflare on site
I waited for ten minutes and the site was back up and running
But after activating it again, same problem appears
Yes it already works with https
But now it no longer works after activating again
I am reviewing this for you.
The reason for the 525 is because we are expecting a trusted certificate on the origin. You may want to adjust your settings to Full SSL if you have a certificate on your origin. Otherwise, ensure that you have the origin certificate generated on Cloudflare uploaded to your origin. Reference Full Strict SSL
That’s interesting. The OP said it was working with HTTPS with Cloudflare paused. That shouldn’t work if it’s not a trusted certificate on the origin.
That would still leave the site insecure. In that case it would be wiser to fix the certificate, but there should not be a certificate issue in the first place for the reasons mentioned by @sdayman.
You can have a certificate on your origin but if you are using SSL strict, you will need to ensure that the certificate is signed by a known CA. If you run the following command:
$ openssl s_client -connect <serverIP>:443 -servername www.live-yalla-shoot.com | openssl x509 -noout -text
Response received: …Expecting: TRUSTED CERTIFICATE
That would still leave the site insecure.
No, that just means we will check for certificate validity and not signed CA. Reference: Full SSL Option
Well, an unverified certificate is insecure, which brings us back to an insecure site
Apologies for not clarifying what I am referring to here. When using Cloudflare with a full (strict) SSL:
Eyeball -> HTTPS (Universal Certificate at the edge) -> Cloudflare edge -> HTTPS (signed certificate by CA | Cloudflare origin certificate) -> Origin
The 525 is caused by Cloudflare unable to verify the certificate on the origin according to the above scheme. However, if this is set to full SSL mode - if a valid certificate exists on the origin but is not signed by a known CA (purchased) then till will work. It does not have anything to do with the Client and Cloudflare, that certificate exists. The issue is between Cloudflare and the Origin.
No worries, but the issue is a certificate not recognised by Cloudflare is not a valid certificate in the first place.
As @sdayman already mentioned, the OP claims to have a valid certificate, so there should not be a 525 or 526 but things should load. Considering they do not, there’s either an issue with Cloudflare or - more likely - we did not get the full story here
Bottom line as always fix your certificate and set it to Full Strict and you’ll have a properly secured site
I did not use an external certificate from the cloudflare
I am using the certificate that came with it
True. Plus a certificate can be valid (expiry date) but not signed by a known CA. This will also constitute an issue. If the site is reachable via HTTPS without Cloudflare in the misc, then setting the SSL mode to full will resolve the issue. As specified in our support docs:
Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).
The issue is tied to the last sentence in the above quote.
Valid is not only the validity date though, but also whether it is recognised by the configured trust store, which in Cloudflare’s case is publicly recognised CAs and their own Origin CA. If it’s not part of that it’s not valid.
It will “resolve” the issue but it will be just as “secure” as clicking continue upon getting a self-signed certificate instead of the actual one when logging into your online banking account
So yeah, if you are not on Full Strict you don’t have a secure setup and it’s really not hard to do that.
I assume we haven’t got the whole story here and the questions @sdayman asked three hours ago were not accurately answered.
Plus whether the hostnames match of course.
valid = (CA + date + CN/SAN)