Intermittent 525 Errors with cloudflare-nginx displayed

Starting around 7:12 UTC this morning, we started seeing intermittent 525 errors. They look like this:

525 Origin SSL Handshake Error

525 Origin SSL Handshake Error


cloudflare-nginx

I’ve read the general 525 troubleshooting but nothing seems to apply as I can’t see these requests actually make it to our webserver (we’re hosted in Azure as a WebApp).

Any other tips for things to try? Is anyone else experiencing this?

Can you post a screenshot of that?

A 525 should typically come with Cloudflare styling, plain text is usually just for actual issues on Cloudflare’s side.

You said you can’t find any requests on your server. Where did you check? A 525 hints at Cloudflare not being able to even establish the SSL connection, so you wouldn’t have anything in your access and it depends on how your error log is configured whether SSL errors show up there.

The easiest way would be to disable proxying for the time being and check if you can connect to your origin via HTTPS.

Unfortunately, we don’t have a screenshot. That is coming from our client telemetry which is reporting the error that it receives. That appears to be the full payload though so I’d be surprised if there was more information in a screenshot.

We’ve disabled the proxy and all appears to be working again. Is there any way to test that things are going to work other than just reenabling and hoping?

So right now it does load on HTTPS?

Also, could you actually reproduce the issue before or was this just information you got via that channel?

Yep, everything is working great over https since disabling Cloudflare.

We we’re able to reproduce the bug via our phone app and website when we had the proxy turned on (even though it was intermittent). Once we’ve disabled the proxy, all is operational again.

You’d need the connection ID, then you could forward this to Cloudflare and they could have a look.

You probably rate limit Cloudflare in some way or have other restrictions in place.

Is there any way we can view the rate limits on our account? Is there any reason why a rate limit would be intermittent?

That is a limit on your server, not a Cloudflare limit.

Nope, that’s not the case. All traffic to our server is operating well. We opened an Azure support case to confirm which they were able to. Our server isn’t throwing any errors. This is backed up by the fact that since disabling Cloudflare, things are operating back to normal and our servers remain healthy (even as load increases as the day starts here in the US).

Hence why I referred to you blocking/limiting Cloudflare.

If you absolutely rule that out you can only go via support I am afraid.

Just heard back from support, their response was this:

I’ve looked into our logs and found there was an issue upstream from Cloudflare datacenters. It is likely that some paths at that time were having issues impeding Cloudflare from establishing an SSL connection.

In our logs we see - peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream

In short, aside from the certificate not being valid or not present at the origin. The other cause for a 525 is if the SSL Handshake is interrupted.

This is where I wish Cloudflare would give us more information about errors they detect.

That is what I earlier meant by

Hi there

We got the same on our website today, intermittent 525 errors, please find a screenshot below.

Once we’ve disabled the proxy, all is operational again.

Could you tell me what was wrong? Was this Cloudflare side?

Thanks
Mathieu

I’d suggest providing Support with packet capture information from the server-side to see how the handshakes connection is being established and why it’s failed. You can use Wireshark to do it.