Impossible to migrate Flexible SSL to Full (Strict): Error 525

ssl

#1

I using CloudFlare with Flexible SSL mode, and I want to switch to Full mode.
When I try to do it, I got an Error 525 on all my domain.

This is my nginx configuration:

server {

   listen  80;
   listen  443;
   server_name exemple.com;

   if ($http_x_forwarded_proto = "http") {
      return 301 https://$server_name$request_uri;
   }

   ssl  on;
   ssl_certificate /etc/nginx/cloudflare_cert/fullchain.pem;
   ssl_certificate_key /etc/nginx/cloudflare_cert/privkey.pem;

   include /etc/nginx/conf.d/cloudflare;

   root   /var/www/mywebsite;
   index  index.php;

   location / {
      # main codeigniter rewrite rule
      try_files $uri $uri/ /index.php?/$request_uri;

      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forward-Proto http;
      proxy_set_header X-Nginx-Proxy true;

   }

   # php parsing
   location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   }

   error_log  /var/log/nginx/exemple_error.log;
   access_log  /var/log/nginx/exemple_access.log;

}

server {
   listen  80;
   listen  443;
   server_name www.exemple.com;
   return 301 https://exemple.com$request_uri;
}

The cloudflare include contain the set_real_ip_from 103.21.244.0/22; for all cloudflare IP, update every week.
I’m using the certificate generate by cloudflare as explain here.

I tried with Full mode and Full (strict), but always the same problem. No problem in flexible mode.
Each time I try a change of SSL, I wait about 15min to be sure the change is correctly apply in DNS. Should I wait longer ? In Crypto page, CloudFlare display: “Status Active Certificate”.
Did I miss something ?


#2

I’m not an NGINX conf expert, but my listen 443 directive looks like:
listen 443 ssl http2;

Maybe the “ssl on;” line you have does the same thing.

Otherwise…did you restart NGINX?


#3

Yes it’s the same thing …
In fact to be sure use the right syntax for CloudFlare, I followed this simple tutorial: https://support.cloudflare.com/hc/en-us/articles/217471977-How-to-install-an-Origin-CA-certificate-in-NGINX

Of course I restarted nginx ^^


#4

Since nobody is jumping in (yet), I’ll take a few more shots. No, you shouldn’t have to wait any time at all when switching SSL modes.

If you :grey: the site and visit it via HTTPS, is there any indication there’s a certificate? Like a self-signed warning?


#5

Yes I guess, but I can’t check now, I have to do it early in morning cause my website is in production.