Intermittent SSL Handshake Failed 525 Error

Description

Currently, I have a domain api.akkadu.com being proxied by Cloudflare to an AWS elastic load balancer. Sometimes it resolves the domain, but the assets return a 525:

While other times, the domain returns a 525 and a “Failed SSL Handshake” error message

The issue sounds to be something to do with my origin certificate, but it’s a relatively new issue since the domain was resolving fine before, though I can’t be sure what’s changed since then.

The application behind the domain is healthy and is able to serve https requests from our Aliyun (China) domain at api.akkadu.cn. That uses an origin certificate issued from Aliyun and installed on our load balancer.

What I’ve tried

  1. Full (Strict) mode: I’ve generated a new certificate from cloudflare and installed it on my application load balancer, purged the cache, waited, etc.
  2. Full mode: I’ve removed the certificate from my load balancer and tried to see if Cloudflare could install a self-signed cert onto it (why would this fail?), same error.
  3. Flexible: I’ve tried seeing if just having an edge certificate would work, but I get a strange error which I think comes from my load balancer rendering the message Dev: *.*.8.154 Rule(6): *.akkadu.com, 0 on the page with an error status of 403.

Any suggestions would be much appreciated, and I’d be happy to provide more information on the problem.

It is not a resolution issue, nor one of the certificate.

Your server doesnt let Cloudflare establish an SSL connection. You should check your server logs for any such errors, respectively if you have any rate limiting in place on your server you should check that too, as this behaviour usually hints at rate limiting on the server.

As for the encryption mode, keep it on “Full strict”.

1 Like

My server logs don’t show any error messages in the output, only the 200s being sent from successful responses (probably from the api.akkadu.cn domain).

I haven’t configured any rate limiting on our load balancer (I don’t know if Cloudflare might have some rate limiting, but wouldn’t the error be different?), and our security ingress groups allow for connections on port 80 and 443, with outgoing set to allow all ports and ips.

One thing I haven’t considered is that our server exists in mainland China, so I’m worried the GFW might interfere with SSL handshakes from Cloudflare - is that possible?

What the Chinese infrastructure is not all that well known, so that certainly is a possibility. But it might be also the load balancer.

Basically, something prevents Cloudflare from establishing an SSL connection. That could be the servers, the load balancer, the Chinese firewall, etc. You will probably need to debug this by trial and error.

1 Like

Thanks for giving me a direction to look in.

I’ll look into our load balancer configurations more deeply and in the meantime open a support ticket with AWS as well. Hopefully I’ll have more useful information to follow up with soon, especially considering the scarcity of information around developing for the web in China.

For starters you could try and take the load balancer out of the equation, to check if that makes a difference.

1 Like