Hello,
I am trying to open mail(dot)empyreanms(dot)com but it gives me Error: Error 525
Ray ID: 71c61ea66e3f549d • 2022-06-16 19:58:21 UTC
SSL handshake failed
That supposed to go to Gmail.
Can you please advice how can I fix that?
Thank you.
In that case simply unproxy the mail record by setting it to 
.
However, you should double check the IP address as well, as a Google address should not give you an SSL error.
If I understand it correctly you’re not actually using the subdomain for SMTP, you’re just wanting to do an HTTP redirect to Gmail, is that correct? Or do you intend to use that domain name for non-HTTP traffic as well?
By what mechanism are you attempting to do the HTTP redirect to gmail? Are you hitting your own server and doing the redirect there? Or are you attempting to redirect via Page Rule or Bulk Redirect? If you’re doing the redirect on your own server, it will need a valid SSL certificate which it seems like you don’t currently have.
Basically it’s unclear exactly what you’re trying to accomplish and what “go to gmail” means. Just HTTP requests get forwarded to Gmail? Or are you trying to do mail routing as well?
You’re spot on.
Seeing as that domain uses GMail’s MX the best, and easiest, thing to do is define a page rule to 301 redirect mail.empyreanms.com to https://mail.google.com/a/empyreanms.com and set any old IP address (preferably one you own though) on the mail.empyreanms.com record. As long as it has an orange cloud the origin should never be hit.
1 Like
A redirect should not even be necessary here.
It will be most likely an incorrectly set up mail record.
DNS basics - Google Workspace Admin Help has examples for the records and, as mentioned, they don’t even need to be proxied, though that should work too, once it points to the right address.
None of the info in that link pertains to setting up the redirects needed for web access as per OP. For that you need to reference:
However Google doesn’t support redirects of connections made over https and that’s the way browsers are tending to roll these days. You actually can get https://mail.example.com working if you want to mess around uploading you own certs and setting up things in GCP but it’s 1 bazillion times easier to use a Page Rule and let Cloudflare redirect. Another option is to set SSL to flexible for this access to Cloudflare will hit Google on http (not https) and then their redirect is hit and works just fine.
But yeah, if http access alone is good enough, you can do it at Google and skip Cloudflare (boo).
The information on that page refers to the DNS records one needs if they want to access Google’s services via their own domain. There’s no redirect necessary in the first place, respectively Google will eventually redirect to their own domain anyhow.
Hence also why I mentioned it is not necessary to proxy the record, the whole issue here will be an incorrect DNS record
which is why the SSL connection does not work.
Yeah man and that’s exactly what he wants given that empyreanms.com is configured up to use Google Workspace for email and he’s trying to browse to ‘Gmail’ on his mail.empyreanms.com address like most users of that service do.
I’ll leave you to it. Your soln will work with http only connections just fine if that’s OK with OP and he follows the instructions for the creation of the mail subdomain in the link I provided him.
Sure, in that case he should simply fix the DNS record, he can most likely even leave it proxied, but of course in the context of Google that’s not really necessary unless you want to apply e.g. Access on top of Google’s authentication.
he can most likely even leave it proxied, but of course in the context of Google that’s not really necessary unless you want to apply e.g. Access on top of Google’s authentication.
Google won’t serve the redirect out on https. they don’t have a cert for your domain without an amount of pain. It’s in the Troublshotting section of the guide I linked.
You were initially correct right at the top - turn off proxying and this will work (http only). If you want https access to the url then the easiest thing is forego Google forwarding and use a Cloudflare Page Rule to redirect instead. Alternative is to keep the Google redirect in play but to do so you’d need a Cloudflare Page Rule demote SSL level to something other than strict etc so Cloudflare proxy the connection to Google’s redirect on http. If you’re going to do that, you might as well just use a Cloudflare Page Rule to do the redirect itself instead and get there a ms quicker and save the world some CPU cycles.
It’s not a certificate issue at this point, plus they don’t need a certificate as it is a CNAME record. Assuming it is proxied. If it is not proxied it’s not relevant in the Cloudflare context anyhow.
Bottom line, the OP needs to fix his DNS record.
“SSL handshake failed” error message posted but this isn’t a certificate issue?
They don’t need a certificate because it’s a CNAME?
“If it is not proxied it’s not relevant” when OP has posted a screenshot of the Cloudflare 522 page?
Not sure we’re even looking at the same issue any more, lol.
It’s a general SSL issue, not related to the certificate. Maybe there is no certificate. Impossible to tell without knowning the Origin, hence the suggestion to unproxy and fix the record.
hence the suggestion to unproxy and fix the record.
Once he fixes that record by pointing it to ghs.googlehosted.com as per the guide you linked (TBH I missed it in the guide you linked as I always provide clients the one I posted) he’ll get cert mistmatch errors (unless Google have started generating custom certs for your domain) just like the OP shows. To get around that he’ll need to turn off proxying and use http only, or if he wants proxying / https he’ll need to demote SSL level or do the redirect at Cloudflare instead of Google (as they don’t support https redirects on a cname to ghs.googlehosted.com).
We’re in furious agreement. I’m just cutting out the extraneous steps because I know a Page Rule redirect of mail.empyreanms.com to https://mail.google.com/a/empyreanms.com is the optimum outcome and will work (best).
Yes, there’ll be obviously a certificate error if there is no certificate issued. But that’s not the main issue here.
The OP simply has an incorrect DNS setup and needs to fix that as mentioned 12 hours ago already. He can additionally unproxy. But I am afraid at this point we are really only going in circles and it’s quite clear what the OP needs to do.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.