New 525 Error

UPDATE: I have been on hold and talking to GoDaddy for the past 1.25 hours… You might have tried it after we worked on it.

I NOTE: GoDaddy Always says it is a CloudFlare issue. So realize that when I post what they said.

They said “The site’s IP Address is not propagating correctly on the Cloud Flare’s Server” and some issues were cache related.

I purged the CloudFlare Cache on CloudFlare page and changed SL/TLS encryption mode to Full-- it was Full Strict. That is what they recommended.

After that the site started working.

Any idea if GoDaddy is correct? Any way to request CloudFlare to check if IP Address is not propagating correctly?

Another Update… The site only works when in Develop Mode (on) . Full Strict works is in Develop Mode (on).

Does anyone know what would make a site only work when in Develop Mode and it seems Purging the Cache also helped by making the problem more consistent?

Again, thanks everyone for your help

I just shut off Development Mode… in case it needs to be off for you to test.

Update… Troubleshooting

I do not know if any of these steps will help identify the source of the issue.

  1. The site will load when Development Mode is ON

  2. The site will work with Development Mode OFF , if CloudFlare is Paused. As expected, the site goes back to HTTP and Chrome makes it very hard to access.

Can you tell if this is on the GoDaddy side or the CloudFlare side?

Any potential restoring the website from a July 2021 save would fix it— I do not think so, but figured I ask.

Thanks for the continued help…

Pause CloudFlare 2

Kindly, thank you for providing us with feedback information regarding your issue.

I see from now on you are using CloudFlare Origin CA Certificate - which throws as expected “not trusted” in a Web browser when hostname is unproxied :grey: (DNS-only) as follows:

Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.,

From now on, while using Cloudflare Origin CA Certificate, you should set your DNS records (for www and domain name) to proxied and set to :orange:.
Therefore under the SSL/TLS tab choose Full (Strict) SSL option.
Turn off the Development mode / un-pause the “Pause Cloudflare for this site” option.
After that, wait for few minutes and we can re-check again if your Website is loading fine over HTTPS.

Helpful source:

I understood why I was getting the unsecured warning… I was not using CloudFlare. I was just trying to troubleshoot and found that the site could load with it off.

I restored the setting you mentioned.

As a time reference—It is 3:45pm EST.

Development Mode is Off
Cloudflare on Site is enabled
SSL/TLS is Full (strict)

I believe I have all the Proxy setting correct, I did not change them.

Thanks for helping.

Kindly, may I ask you to consider masking/hiding the origin IP address from your screenshot while sharing to public for further cases. You can Edit your answer and replace the original image. Please, do so.

Furthermore, thank you for feedback.

Now that’s interesting. The moment when you switched them to be correctly configured, I did saw in one momemt a 525 error :thinking:
Nevertheless, after hitting the refresh button, website loads okay without it.
In another web browser, the same behaviour and I see the upper banner saying:

This website is currently offline. Cloudflare’s Always Online™ shows a snapshot of this web page from the Internet Archive’s Wayback Machine. To check for the live version, click Refresh .

I am afraid it should be something with the origin host/server on GoDaddy

Kindly, I would suggest you write a ticket to Cloudflare support due to your domain issue and share the ticket number here with us so we could escalate this issue:

  • Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button. If you get automatic reply, reply and indicate to it you need more help and reference to this topic
  • Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account

Thanks… I did not realize the IP address should be secured. I deleted it.

I tried to generate a ticket… I could not. I will submit a summary of the issue by e-mail.

I just sent the e-mail with a summary of the issue.

CloudFlare Ticket

Your request (#2359318)

Thank you, I’ve escalated it to Cloudflare team.

Kindly and patiently wait for a reply and continue to provide helpful feedback to the to successfully resolve the issue

Will do… Thanks!

I have replied on the ticket, looks like SSL_ERROR_SYSCALL from the curl

1 Like

Update… I want to let you know; I will not post anything here for about 72-hours. It’s not resolved, GoDaddy is “working on it”

After nearly 2 hours on the phone with GoDaddy and forwarding the information cf-jochen sent me to give them — they only said they “see traffic” and will work on it. Would not give me any details. They said I should get an e-mail back from them in <72 hours.

Thanks for your help… without the information you sent, that makes no sense to me, I would be forced to accept GoDaddy’s answer that it’s not on the server.

I will leave all the Normal Cloudflare settings in place and let you know how it goes in a few days.

Development Mode is Off
Cloudflare on Site is enabled
SSL/TLS is Full (strict)


I do not know if they did anything to the server… I heard back from GoDaddy-- (I hope they are not passing the buck). They said:

"Please ask your SSL provider to point the domain to the correct hosting IP Once it is done then the site will again link to the cPanel.

I do not know if this is something I can change on the Cloudflare page— I could not find a reference to it.

If this is not the solution— is there any information I can give GoDaddy to explain why they are not correct?


I will translate this for you.:

They say, you should login into Cloudflares Dashboard, then go to the DNS section and point your DNS entries to the IP (if not already). They claim, this will resolve the problem.

But that is not true, since running this curl command:

$ curl --resolve ''
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I previously also had this error:

$ curl --resolve ''
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection

and also:

$ curl --resolve ''
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to

which lead me to thinking they:

  • don’t have a SSL cert for your domain
  • have a selfsigned one

After running:

$ openssl s_client -servername -verify_hostname  -connect
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify return:1
Certificate chain
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
 1 s:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
Server certificate
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate

issuer=C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 2904 bytes and written 399 bytes
Verification error: self signed certificate in certificate chain
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3296FB05911A1D6FD94944869B80BC5EC1D448552CBFD60649FCD0DF937C6164
    Master-Key: 8B2B7D0A9B508BB349F2C2952A2E281A23A2CA72671CD3202C229385F12A5640556149EE6971CEBE0037366BE07D0788
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e5 00 36 e7 85 10 4f 0f-65 d0 84 b9 e6 f2 e2 8c   ..6...O.e.......
    0010 - d5 af 6e 27 ca 9d 0e 2a-00 4e 57 b6 4a 4c 36 80   ..n'...*.NW.JL6.
    0020 - 3b 72 26 89 f9 37 88 62-4e 19 55 78 01 8d 95 56   ;r&..7.bN.Ux...V
    0030 - dc 71 f2 1c 34 5f 31 cc-00 82 2f a6 e0 9f ed 66   .q..4_1.../....f
    0040 - 54 9a 88 0a 9d 04 bc ca-80 11 9f a4 e3 a3 92 15   T...............
    0050 - 1d d5 d1 1a 2d d4 81 dd-1d d4 c7 14 79 a1 aa 3a   ....-.......y..:
    0060 - b2 91 cf 3e 4f 31 50 f9-f3 31 1e 84 00 50 10 4a   ...>O1P..1...P.J
    0070 - 96 24 d2 ee 0d 55 23 54-c3 3f f3 e5 6c 9f 23 04   .$...U#T.?..l.#.
    0080 - 4b 5f f1 79 01 a7 0d c4-e8 0c 8e 2b 74 a9 e5 3d   K_.y.......+t..=
    0090 - 7b 86 c2 ec 35 22 59 a7-0d ff 7b e6 e5 f8 cd b4   {...5"Y...{.....
    00a0 - 39 78 b6 e1 12 6d 69 07-40 ea d9 bb 60 c3 b2 7b   [email protected]`..{
    00b0 - ae 37 9a e7 8a b8 68 75-7c 88 c6 20 d8 b2 81 44|.. ...D
    00c0 - 9d a2 dc d0 74 48 d5 5c-3e 34 41 37 0e 30 a5 45   ....tH.\>4A7.0.E

    Start Time: 1643318942
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
Verify return code: 19 (self signed certificate in certificate chain)

So your server indeed offers a Cloudflare Origin SSL cert. Normally this should work.

1 Like

My guess is it’s broken because their system won’t work if it doesn’t point to the IP address they’re expecting it to. That’s why I prefer Origin CA certain from Cloudflare…if GoDaddy will allow you to upload one.


Since they referred to “cPanel” you can ofc use your own ssl cert I am not mistaken, but also confirmed here:
(if you are really using cPanel)

But then again, seems like he is already using a Cloudflare origin cert?

Ah … yes he does:

So it’s actually Cloudflare that can not connect to it’s own origin cert.

After a hardreload it’s gone for me:

1 Like

So we’re back to a GoDaddy configuration. It’s as if they’re not honoring the SSL configuration because it doesn’t resolve to their own IP address. Weird. I’ve not heard that happen before. You’d think if they let you add a cert, then it should trigger a configuration change.

Support here should be able to trace that connection to see what’s happening when Cloudflare connects to the origin.

1 Like


I experienced the same few days ago with customer’s domain while testing.


I wonder, would it had to be something if the customer created an RSA or ECC Origin certificate, therefore not used the same “.pem root cert” (RSA or ECC) and used wrong one “.pem root certificate” (different) while adding Origin CA Certificate within the “root” into the GoDaddy cPanel?

  • but I tried to do this on one domain using cPanel hosting ~2 hours ago, and it showed warning to me, so even if the customer uses wrong one, cPanel does not let us copy-paste the wrong “root .pem” into the “CABundle” field if it differs from the origin … we have to use the same origin “ECC” and root .pem “ECC” and not mixed …

GoDaddy Update…

They finally got in touch with someone who sounded like he knew what he was doing on the server side and familiar with Cloudflare SSLs.

We were on the phone 2+ hours and he could not figure it out. I sent him the information above. He tried to trouble shoot it and said he has been doing this for 12 years and never seen this happen before. The issue was intermittent while one the phone. Clear the cache on Cloudflare and Browser… get 525. Every once in a while, do a refresh and get to the page fine. Click on a link, sometimes it worked, other times 525. without him changing anything. He could not figure it out.

I ended up removing the site from Cloudflare and changing the DNS back to GoDaddy Default.

I will wait a couple days and try to set up Cloudflare Fresh.

Any advice/recommendations moving forward?

Thanks everyone for the help.

1 Like