New 525 Error

UPDATE: I have been on hold and talking to GoDaddy for the past 1.25 hours… You might have tried it after we worked on it.

I NOTE: GoDaddy Always says it is a CloudFlare issue. So realize that when I post what they said.

They said “The site’s IP Address is not propagating correctly on the Cloud Flare’s Server” and some issues were cache related.

I purged the CloudFlare Cache on CloudFlare page and changed SL/TLS encryption mode to Full-- it was Full Strict. That is what they recommended.

After that the site started working.

Any idea if GoDaddy is correct? Any way to request CloudFlare to check if IP Address is not propagating correctly?

Another Update… The site only works when in Develop Mode (on) . Full Strict works is in Develop Mode (on).

Does anyone know what would make a site only work when in Develop Mode and it seems Purging the Cache also helped by making the problem more consistent?

Again, thanks everyone for your help

I just shut off Development Mode… in case it needs to be off for you to test.

Update… Troubleshooting

I do not know if any of these steps will help identify the source of the issue.

  1. The site will load when Development Mode is ON

  2. The site will work with Development Mode OFF , if CloudFlare is Paused. As expected, the site goes back to HTTP and Chrome makes it very hard to access.

Can you tell if this is on the GoDaddy side or the CloudFlare side?

Any potential restoring the website from a July 2021 save would fix it— I do not think so, but figured I ask.

Thanks for the continued help…

Pause CloudFlare 2

Kindly, thank you for providing us with feedback information regarding your issue.

I see from now on you are using CloudFlare Origin CA Certificate - which throws as expected “not trusted” in a Web browser when hostname is unproxied :grey: (DNS-only) as follows:

Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.,

From now on, while using Cloudflare Origin CA Certificate, you should set your DNS records (for www and domain name) to proxied and set to :orange:.
Therefore under the SSL/TLS tab choose Full (Strict) SSL option.
Turn off the Development mode / un-pause the “Pause Cloudflare for this site” option.
After that, wait for few minutes and we can re-check again if your Website is loading fine over HTTPS.

Helpful source:

I understood why I was getting the unsecured warning… I was not using CloudFlare. I was just trying to troubleshoot and found that the site could load with it off.

I restored the setting you mentioned.

As a time reference—It is 3:45pm EST.

Development Mode is Off
Cloudflare on Site is enabled
SSL/TLS is Full (strict)

I believe I have all the Proxy setting correct, I did not change them.

Thanks for helping.

Kindly, may I ask you to consider masking/hiding the origin IP address from your screenshot while sharing to public for further cases. You can Edit your answer and replace the original image. Please, do so.

Furthermore, thank you for feedback.

Now that’s interesting. The moment when you switched them to be correctly configured, I did saw in one momemt a 525 error :thinking:
Nevertheless, after hitting the refresh button, website loads okay without it.
In another web browser, the same behaviour and I see the upper banner saying:

This website www.dellazanna.com/ is currently offline. Cloudflare’s Always Online™ shows a snapshot of this web page from the Internet Archive’s Wayback Machine. To check for the live version, click Refresh .

I am afraid it should be something with the origin host/server on GoDaddy

Kindly, I would suggest you write a ticket to Cloudflare support due to your domain issue and share the ticket number here with us so we could escalate this issue:

  • Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button. If you get automatic reply, reply and indicate to it you need more help and reference to this topic
  • Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account

Thanks… I did not realize the IP address should be secured. I deleted it.

I tried to generate a ticket… I could not. I will submit a summary of the issue by e-mail.

I just sent the e-mail with a summary of the issue.

CloudFlare Ticket

Your request (#2359318)

Thank you, I’ve escalated it to Cloudflare team.

Kindly and patiently wait for a reply and continue to provide helpful feedback to the to successfully resolve the issue

Will do… Thanks!

I have replied on the ticket, looks like SSL_ERROR_SYSCALL from the curl

1 Like

Update… I want to let you know; I will not post anything here for about 72-hours. It’s not resolved, GoDaddy is “working on it”

After nearly 2 hours on the phone with GoDaddy and forwarding the information cf-jochen sent me to give them — they only said they “see traffic” and will work on it. Would not give me any details. They said I should get an e-mail back from them in <72 hours.

Thanks for your help… without the information you sent, that makes no sense to me, I would be forced to accept GoDaddy’s answer that it’s not on the server.

I will leave all the Normal Cloudflare settings in place and let you know how it goes in a few days.

Development Mode is Off
Cloudflare on Site is enabled
SSL/TLS is Full (strict)

2 Likes

I do not know if they did anything to the server… I heard back from GoDaddy-- (I hope they are not passing the buck). They said:

"Please ask your SSL provider to point the domain to the correct hosting IP 107.180.41.246. Once it is done then the site will again link to the cPanel.

I do not know if this is something I can change on the Cloudflare page— I could not find a reference to it.

If this is not the solution— is there any information I can give GoDaddy to explain why they are not correct?

Thanks

I will translate this for you.:

They say, you should login into Cloudflares Dashboard, then go to the DNS section and point your DNS entries to the IP 107.180.41.246 (if not already). They claim, this will resolve the problem.

But that is not true, since running this curl command:

$ curl https://www.dellazanna.com --resolve 'www.dellazanna.com:443:107.180.41.246'
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I previously also had this error:

$ curl https://www.dellazanna.com --resolve 'www.dellazanna.com:443:107.180.41.246'
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection

and also:

$ curl https://www.dellazanna.com --resolve 'www.dellazanna.com:443:107.180.41.246'
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.dellazanna.com:443

which lead me to thinking they:

  • don’t have a SSL cert for your domain
  • have a selfsigned one

After running:

$ openssl s_client -servername dellazanna.com -verify_hostname www.dellazanna.com  -connect 107.180.41.246:443
CONNECTED(00000003)
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify return:1
---
Certificate chain
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
 1 s:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIUcEM5bMIirvYEvkldICLa5GPL3aowDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTIxMDcyMjIzMjQwMFoXDTM2MDcxODIzMjQwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmZ1xZsiFyWsd/kxTnw4Fcro8Hr+dBtqAmYf0
OrV383qZYXGaSXezoZNSJR9iJXRgCuM0oRaouRl924Ej67aSUmx8uhI8cS/KGg0/
HF5vPfhp4fmVVKwGvkTgy8WV84nRMPwiICx4EAEYWX68vQnXdimUwS9RN8Q6FekI
al/+uI5mhbZQqZZRAznxGx+zUfRRnvqLWZFUQ2t+28SgesWp+ZE38xCfrv5UhZ7c
quUnfs3pTqLQqq2Aivxgxha7IEzz+q67GtUarT/UkxlidXKzC7/m9L/QcMCR+02U
QOMIjrCZl6jVrkI6XemybOHCgYgGplhA52wnIatSmVgtZM2UcwIDAQABo4IBKjCC
ASYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTRo1Kg04ozpOvtIxDhDv5BLd7o9jAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTArBgNVHREEJDAighAqLmRlbGxhemFubmEuY29tgg5kZWxsYXphbm5hLmNvbTA4
BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdp
bl9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACYDRHuPtbfAAxwI8uQlajCPCGHp
ArjtXU+YZHQ80we2fnEbC1iKGCOqO7fSGtlehwQsI6w2IBaHhS2I+Vm3cTS8MRn+
XreaJa2BJLL6LJhuWypC49CQdO132ruGADRAZQyyUjZPPxaDNmOBZl5C0hWi3LKq
Qdw0nuyqpE5f79WYOAanG/tHnvluNMb5bXfghh7RjTKYDezVLH0Yij95kZWdrj+L
imAVRcTgwnzuMXY5PACXG8oAeXzjR2ChfURfg4FGB5Y9jwwrwRc50Ropv4akdzqe
fpoVZzX/tnqGj7urp8hGS6V30jd7WPL2wa5qACkQt+tZ5YPiw4/srIE00MY=
-----END CERTIFICATE-----
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate

issuer=C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2904 bytes and written 399 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3296FB05911A1D6FD94944869B80BC5EC1D448552CBFD60649FCD0DF937C6164
    Session-ID-ctx:
    Master-Key: 8B2B7D0A9B508BB349F2C2952A2E281A23A2CA72671CD3202C229385F12A5640556149EE6971CEBE0037366BE07D0788
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e5 00 36 e7 85 10 4f 0f-65 d0 84 b9 e6 f2 e2 8c   ..6...O.e.......
    0010 - d5 af 6e 27 ca 9d 0e 2a-00 4e 57 b6 4a 4c 36 80   ..n'...*.NW.JL6.
    0020 - 3b 72 26 89 f9 37 88 62-4e 19 55 78 01 8d 95 56   ;r&..7.bN.Ux...V
    0030 - dc 71 f2 1c 34 5f 31 cc-00 82 2f a6 e0 9f ed 66   .q..4_1.../....f
    0040 - 54 9a 88 0a 9d 04 bc ca-80 11 9f a4 e3 a3 92 15   T...............
    0050 - 1d d5 d1 1a 2d d4 81 dd-1d d4 c7 14 79 a1 aa 3a   ....-.......y..:
    0060 - b2 91 cf 3e 4f 31 50 f9-f3 31 1e 84 00 50 10 4a   ...>O1P..1...P.J
    0070 - 96 24 d2 ee 0d 55 23 54-c3 3f f3 e5 6c 9f 23 04   .$...U#T.?..l.#.
    0080 - 4b 5f f1 79 01 a7 0d c4-e8 0c 8e 2b 74 a9 e5 3d   K_.y.......+t..=
    0090 - 7b 86 c2 ec 35 22 59 a7-0d ff 7b e6 e5 f8 cd b4   {...5"Y...{.....
    00a0 - 39 78 b6 e1 12 6d 69 07-40 ea d9 bb 60 c3 b2 7b   [email protected]`..{
    00b0 - ae 37 9a e7 8a b8 68 75-7c 88 c6 20 d8 b2 81 44   .7....hu|.. ...D
    00c0 - 9d a2 dc d0 74 48 d5 5c-3e 34 41 37 0e 30 a5 45   ....tH.\>4A7.0.E

    Start Time: 1643318942
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
closed
Verify return code: 19 (self signed certificate in certificate chain)

So your server indeed offers a Cloudflare Origin SSL cert. Normally this should work.

1 Like

My guess is it’s broken because their system won’t work if it doesn’t point to the IP address they’re expecting it to. That’s why I prefer Origin CA certain from Cloudflare…if GoDaddy will allow you to upload one.

2 Likes

Since they referred to “cPanel” you can ofc use your own ssl cert I am not mistaken, but also confirmed here: https://godaddy.com/help/3983
(if you are really using cPanel)

But then again, seems like he is already using a Cloudflare origin cert?


Ah … yes he does:

So it’s actually Cloudflare that can not connect to it’s own origin cert.

After a hardreload it’s gone for me:

1 Like

So we’re back to a GoDaddy configuration. It’s as if they’re not honoring the SSL configuration because it doesn’t resolve to their own IP address. Weird. I’ve not heard that happen before. You’d think if they let you add a cert, then it should trigger a configuration change.

Support here should be able to trace that connection to see what’s happening when Cloudflare connects to the origin.

1 Like

Yep.

I experienced the same few days ago with customer’s domain while testing.

:+1:

I wonder, would it had to be something if the customer created an RSA or ECC Origin certificate, therefore not used the same “.pem root cert” (RSA or ECC) and used wrong one “.pem root certificate” (different) while adding Origin CA Certificate within the “root” into the GoDaddy cPanel?

  • but I tried to do this on one domain using cPanel hosting ~2 hours ago, and it showed warning to me, so even if the customer uses wrong one, cPanel does not let us copy-paste the wrong “root .pem” into the “CABundle” field if it differs from the origin … we have to use the same origin “ECC” and root .pem “ECC” and not mixed …
2 Likes

GoDaddy Update…

They finally got in touch with someone who sounded like he knew what he was doing on the server side and familiar with Cloudflare SSLs.

We were on the phone 2+ hours and he could not figure it out. I sent him the information above. He tried to trouble shoot it and said he has been doing this for 12 years and never seen this happen before. The issue was intermittent while one the phone. Clear the cache on Cloudflare and Browser… get 525. Every once in a while, do a refresh and get to the page fine. Click on a link, sometimes it worked, other times 525. without him changing anything. He could not figure it out.

I ended up removing the site from Cloudflare and changing the DNS back to GoDaddy Default.

I will wait a couple days and try to set up Cloudflare Fresh.

Any advice/recommendations moving forward?

Thanks everyone for the help.

1 Like