Invalid SSL certificate error

I have an application (TIBCO Spotfire,which is using Tomcat as server) running on an AWS Windows Instance (Windows Server 2012 R2). I have pointed my application URL to one of my domain hosted on Cloudflare. Now, I’m trying to achieve SSL connection in Full Strict mode.

I have installed origin ca certificate in Tomcat, but while visiting the URL for my application, I’m getting an error message saying Error - 521. Web server down. I have whitelisted the Cloudflare’s IP and I can access this URL,if I enabled self signed certificate and change SSL mode to Full instead of Full Strict.

Please help.

That would rather suggest a network issue.

Whats the domain and do you have any firewall rules in place on your server?

I’m able to reach the server if SSL is in Full mode instead of Full Strict. SO, I hope, the firewall rules should not be preventing.

If Full works but Full strict doesnt you shouldnt get a 521 but a 526.

Again, whats the domain?

When did you create the origin certificate?

Yesterday the root certificate expired and you might need to update that → CloudFlare Origin SSL Certificate Authority Expired Today

Today, I tested this on one of my test domains and getting 521 error, even on SSL Full mode with origin CA certificate. But this is working well,if I’m using self-signed certificate. So, I think, the issue could be something with certificate installation. My domain is

Basically, I have generated two files as part of origin ca certificates- .p7b and .key.

I went through the installation steps provided but no where, it is mentioning about making use of .key file. The steps I followed during certificate installation is as below:

  1. Created keystore as follows:
    C:\tibco\tss\10.4.0\jdk\bin\keytool -genkey -alias -keyalg RSA -keysize 2048 -keystore

  2. Tried to import certificate as below, but returned an error:

C:\tibco\tss\10.4.0\jdk\bin\keytool -import -alias -file C:\SSL\ -keystore

Error returned here: Input not an X.509 certficate

  1. Converted .p7b into appropriate format, which is a .cer file and replaced new file in the previous command

Please let me know, if anything I missed.

Well, the issue appears to be that you cant get the certificate imported in the first place, which then obviously wont configure the certificate properly.

You seem to have some format error. Either export the origin certificate in a different format or convert it manually on the command line to which format your tool requires.

But yes, you do get a 521, which indicates that your server simply is not reachable, thats not so much an SSL error however.

Could you please let me know the detailed steps? The documentation provided my Cloudflare is not much helpful here. Please let me know how to import or resolve any format errors,in a step by step manner? Do we need to make use of .key file or only .pem/.p7b file is enough?

Also, I’m not sure if server is actually not reachable, because if I’m using a self-signed certificate and SSL is in Full mode instead of Full Strict, I’m able to access the server.

As for the setup steps, it is best to contact the vendor of the software in question.

As for the server. A 521 does show that your server is not reachable. Would you feel comfortable sharing the server IP address here?

This is the IP address:

I have already contacted vendor, but they are asking me to contact Cloudflare, as this is Cloudflare certificate. May I know, how usually the certificates should be installed? Do we need to make use of .key file provided by Cloudflare while generating Origin CA certificate. Also, some documents mention about intermediate certificates? from where can I find that?

Well, there is nothing running on that address. Neither HTTP nor HTTPS.

That is rather irrelevant in this case I am afraid. A certificate is a certificate and your vendor should assist you in importing it. There are three different formats which Cloudflare offers, PEM, DER and PKCS7. If one of that is supported by our software you should choose that format. Otherwise you will have to convert it first.

Basically, my application is hosted on an AWS instance and the instance might not be running while you were trying. I just started the instance. Could you please try again?

Regarding the certificates, could you please provide me a basic understanding on how to install certificates. Do we always need to supply .key file for certificate installation or only .pem file is enough? Also, any intermediate certificates are required?

Now it is running, but only for HTTP. You dont have HTTPS configured.

Again, this depends on the software you are using and it is best to contact the vendor in question.

I checked the certificate provided by Cloudflare in the below tool and it is indicating that this requires some intermediate certificate. Please let me know where can I find this intermediate certificate and please share the steps for installing this.

Regarding your argument about not configured HTTPS, this is working well with HTTPS, if using a self-signed certificate and SSL mode as ‘FULL’ as I mentioned before.

This is hard to believe, considering nothing is running there at all →

Or are you saying it is running fine when you have your self-signed certificate, but currently not running at all because you dont have a valid certificate? That would be a completely different issue then and the 521 wouldnt be a surprise of course.

However the issue then is not to fix the 521, but to configure your server properly to accept the certificate. Which, again, brings us back to your vendor :slight_smile:

Could you try this url without https:

Currently, I have disabled self-signed certificates as I’m trying Cloudflare origin ca certificates. That’s why https is not working.

So, I think, the issue is with Cloudflare certificate. That’s what this link says:

Please let me know, if I have to install any additional certificates like intermediate certificate.

Also, you still haven’t answered my question abut .key file. Do I need to upload .key file somewhere on the server?

See my earlier posting.

Thats the private key and you will need it on your server.

Sorry, I’m comparatively new to this area. By private key, do you mean the .key file? If so, where should I place this?

I presume the .key file will be your private key. If it is, you will need to configure this on your server, so that it can properly access it. Again, this rather is a question for your software vendor.