New 525 Error

I will translate this for you.:

They say, you should login into Cloudflares Dashboard, then go to the DNS section and point your DNS entries to the IP 107.180.41.246 (if not already). They claim, this will resolve the problem.

But that is not true, since running this curl command:

$ curl https://www.dellazanna.com --resolve 'www.dellazanna.com:443:107.180.41.246'
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I previously also had this error:

$ curl https://www.dellazanna.com --resolve 'www.dellazanna.com:443:107.180.41.246'
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection

and also:

$ curl https://www.dellazanna.com --resolve 'www.dellazanna.com:443:107.180.41.246'
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.dellazanna.com:443

which lead me to thinking they:

  • don’t have a SSL cert for your domain
  • have a selfsigned one

After running:

$ openssl s_client -servername dellazanna.com -verify_hostname www.dellazanna.com  -connect 107.180.41.246:443
CONNECTED(00000003)
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify return:1
---
Certificate chain
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
 1 s:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIUcEM5bMIirvYEvkldICLa5GPL3aowDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTIxMDcyMjIzMjQwMFoXDTM2MDcxODIzMjQwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmZ1xZsiFyWsd/kxTnw4Fcro8Hr+dBtqAmYf0
OrV383qZYXGaSXezoZNSJR9iJXRgCuM0oRaouRl924Ej67aSUmx8uhI8cS/KGg0/
HF5vPfhp4fmVVKwGvkTgy8WV84nRMPwiICx4EAEYWX68vQnXdimUwS9RN8Q6FekI
al/+uI5mhbZQqZZRAznxGx+zUfRRnvqLWZFUQ2t+28SgesWp+ZE38xCfrv5UhZ7c
quUnfs3pTqLQqq2Aivxgxha7IEzz+q67GtUarT/UkxlidXKzC7/m9L/QcMCR+02U
QOMIjrCZl6jVrkI6XemybOHCgYgGplhA52wnIatSmVgtZM2UcwIDAQABo4IBKjCC
ASYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTRo1Kg04ozpOvtIxDhDv5BLd7o9jAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTArBgNVHREEJDAighAqLmRlbGxhemFubmEuY29tgg5kZWxsYXphbm5hLmNvbTA4
BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdp
bl9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACYDRHuPtbfAAxwI8uQlajCPCGHp
ArjtXU+YZHQ80we2fnEbC1iKGCOqO7fSGtlehwQsI6w2IBaHhS2I+Vm3cTS8MRn+
XreaJa2BJLL6LJhuWypC49CQdO132ruGADRAZQyyUjZPPxaDNmOBZl5C0hWi3LKq
Qdw0nuyqpE5f79WYOAanG/tHnvluNMb5bXfghh7RjTKYDezVLH0Yij95kZWdrj+L
imAVRcTgwnzuMXY5PACXG8oAeXzjR2ChfURfg4FGB5Y9jwwrwRc50Ropv4akdzqe
fpoVZzX/tnqGj7urp8hGS6V30jd7WPL2wa5qACkQt+tZ5YPiw4/srIE00MY=
-----END CERTIFICATE-----
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate

issuer=C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2904 bytes and written 399 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3296FB05911A1D6FD94944869B80BC5EC1D448552CBFD60649FCD0DF937C6164
    Session-ID-ctx:
    Master-Key: 8B2B7D0A9B508BB349F2C2952A2E281A23A2CA72671CD3202C229385F12A5640556149EE6971CEBE0037366BE07D0788
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e5 00 36 e7 85 10 4f 0f-65 d0 84 b9 e6 f2 e2 8c   ..6...O.e.......
    0010 - d5 af 6e 27 ca 9d 0e 2a-00 4e 57 b6 4a 4c 36 80   ..n'...*.NW.JL6.
    0020 - 3b 72 26 89 f9 37 88 62-4e 19 55 78 01 8d 95 56   ;r&..7.bN.Ux...V
    0030 - dc 71 f2 1c 34 5f 31 cc-00 82 2f a6 e0 9f ed 66   .q..4_1.../....f
    0040 - 54 9a 88 0a 9d 04 bc ca-80 11 9f a4 e3 a3 92 15   T...............
    0050 - 1d d5 d1 1a 2d d4 81 dd-1d d4 c7 14 79 a1 aa 3a   ....-.......y..:
    0060 - b2 91 cf 3e 4f 31 50 f9-f3 31 1e 84 00 50 10 4a   ...>O1P..1...P.J
    0070 - 96 24 d2 ee 0d 55 23 54-c3 3f f3 e5 6c 9f 23 04   .$...U#T.?..l.#.
    0080 - 4b 5f f1 79 01 a7 0d c4-e8 0c 8e 2b 74 a9 e5 3d   K_.y.......+t..=
    0090 - 7b 86 c2 ec 35 22 59 a7-0d ff 7b e6 e5 f8 cd b4   {...5"Y...{.....
    00a0 - 39 78 b6 e1 12 6d 69 07-40 ea d9 bb 60 c3 b2 7b   [email protected]`..{
    00b0 - ae 37 9a e7 8a b8 68 75-7c 88 c6 20 d8 b2 81 44   .7....hu|.. ...D
    00c0 - 9d a2 dc d0 74 48 d5 5c-3e 34 41 37 0e 30 a5 45   ....tH.\>4A7.0.E

    Start Time: 1643318942
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
closed
Verify return code: 19 (self signed certificate in certificate chain)

So your server indeed offers a Cloudflare Origin SSL cert. Normally this should work.

1 Like

My guess is it’s broken because their system won’t work if it doesn’t point to the IP address they’re expecting it to. That’s why I prefer Origin CA certain from Cloudflare…if GoDaddy will allow you to upload one.

2 Likes

Since they referred to “cPanel” you can ofc use your own ssl cert I am not mistaken, but also confirmed here: https://godaddy.com/help/3983
(if you are really using cPanel)

But then again, seems like he is already using a Cloudflare origin cert?


Ah … yes he does:

So it’s actually Cloudflare that can not connect to it’s own origin cert.

After a hardreload it’s gone for me:

1 Like

So we’re back to a GoDaddy configuration. It’s as if they’re not honoring the SSL configuration because it doesn’t resolve to their own IP address. Weird. I’ve not heard that happen before. You’d think if they let you add a cert, then it should trigger a configuration change.

Support here should be able to trace that connection to see what’s happening when Cloudflare connects to the origin.

1 Like

Yep.

I experienced the same few days ago with customer’s domain while testing.

:+1:

I wonder, would it had to be something if the customer created an RSA or ECC Origin certificate, therefore not used the same “.pem root cert” (RSA or ECC) and used wrong one “.pem root certificate” (different) while adding Origin CA Certificate within the “root” into the GoDaddy cPanel?

  • but I tried to do this on one domain using cPanel hosting ~2 hours ago, and it showed warning to me, so even if the customer uses wrong one, cPanel does not let us copy-paste the wrong “root .pem” into the “CABundle” field if it differs from the origin … we have to use the same origin “ECC” and root .pem “ECC” and not mixed …
2 Likes

GoDaddy Update…

They finally got in touch with someone who sounded like he knew what he was doing on the server side and familiar with Cloudflare SSLs.

We were on the phone 2+ hours and he could not figure it out. I sent him the information above. He tried to trouble shoot it and said he has been doing this for 12 years and never seen this happen before. The issue was intermittent while one the phone. Clear the cache on Cloudflare and Browser… get 525. Every once in a while, do a refresh and get to the page fine. Click on a link, sometimes it worked, other times 525. without him changing anything. He could not figure it out.

I ended up removing the site from Cloudflare and changing the DNS back to GoDaddy Default.

I will wait a couple days and try to set up Cloudflare Fresh.

Any advice/recommendations moving forward?

Thanks everyone for the help.

1 Like

Somehow all these errors do have two things in common:

  • Cloudflare
  • cPanel
  1. Error 525 - need clarification
  2. https://forums.cpanel.net/threads/cpanel-ssl-cloudflare-525-ssl-handshake-failed.687289/
  3. Error 525 - SSL handshake failed (cloudflare) -> The certificate uploaded is NOT for the domain name fsocietyproject.ml (CloudFlare Origin Certificate was seen) - Hosting Support - InfinityFree Forum

Somehow strange. Maybe it’s a cPanel thing.

Two things to try:

  1. SSL Mode “Full” instead of “Full strict” since it does not validate the SSL Cert, but there must be one.
  2. Just a guess, but could you (once you use Cloudflare again) remove your origin cert from the dashboard, create a new one, and then add the new one and try again?
    Otherwise, just use “Let’s Encrypt” as SSL if the origin SSL cert does not work.

Also: please use a publicly valid SSL cert, if you remove Cloudflare, since otherwise your Cloudflare origin SSL cert is getting used, which is not valid publicly, but just behind Cloudflare while proxied.

I tried different SSL settings, including Flexible-- did not fix it.

I will remove the Origin Cert and create a new one when I set Cloudflare up again.

Need to find a current “Walk Through” for setting Cloudflare up again…

In terms of a GoDaddy and cPanel hosting, I was wondering if they offer free AutoSSL certificate.

Doing some research on their website as I haven’t used GoDaddy web hosting and any other service yet, I have found out they do not offer this so far and the user has to purchase one - ouch!

Nevertheless, from the hosting packages - there are only 2 who have it “included - Free SSL”:

The process for the SSL goes like (you do not have it, purchase it first):

And they are not so affordable (too much money for something which is nowadays free):

I am just disapointed by this so far :frowning_face: :disappointed_relieved:

1 Like

Yes… Go Daddy wants close to $94.99/yr in the US when you renew.

My 5-year contract with them ends in April… not sure how hard it is/would be to transfer 4 sites, one with a different domain, to another Hosting Provider.

Cloudflare has nothing between Free and $20/month. None of the sites are complicated or sell anything. I just do not know if Free would do everything I currently do… Word Press Site. I am willing to pay, just trying to do it as affordable and reliable as possible.

Also, I do not know how my e-mail would be affected or transferred. I use an e-mail service (Zoho) to manage (host?) my e-mail, using my domain name- [email protected]. Would I just need to add the MX record in the new Host or do I need to make changes at Zoho?

Before moving to Cloudflare I had an expired SSL Cert and it did not connect by HTTPS. That was a headache in itself. Even though I deleted the Cert, the file remained on the server and had to be manually removed by GoDaddy. That took a week to figure out.

I mentioned that to the GoDaddy support yesterday, he said he has seen that happen a few times. He checked and made sure all CERTS were removed from the sever and then put a self-signed one on.

I tried Strict, Full and Flexible (I believe I got the terms correct), non-worked. The issue was intermittent, to some extent. IF you hit refresh 3-6 times the page might load. Only to fail again.

I ended up removing my site from Cloudflare and reset my DNS in cPanel. GoDaddy encouraged me to re-try Cloudflare, but wait 24 hours–just in case. He said he know a lot of GoDaddy clients use Cloudflare and had good things to say about it. But he could not find the problem on his end. He was the best support I have had with GoDaddy. Tried troubleshooting using both server and Cloudflare variables.

I never got the 522 error.

Thanks for your help.

Going to try to set-up Cloudflare again tonight. Any advice/concerns on re-setting it up on a site that was recently removed?

I am near done re-installing/setting up Cloudflare. Do I need to revoke the prior Cert? I came across this page. I assume the one with the nearest Expiration date is the OLD one?

I think I got it working… Including the message above, can someone check to see if it will load.

I thought I got it to load…

I received a BitDefender (Anti-Virus Suite) warning that it was unsafe URL. Happened on 2 computers. After I over ruled it, it seemed to work fine on 1 computer. It might have been a Rule in Bitdefender, that was created when it was not SSL and it needed to be over rided.

On my Windows 7 TV Computer I am getting a “this page isn’t working right now”… after a while it went to an Error 524 this time.

That was after clearing the cache in the browser.

https://dellazanna.com/

1 Like

@gary19 thank you for writing and feedback.

I hope you know which one is which :sweat_smile: (don’t revoke the wrong one)

Now when I check, I see a redirect loop in my Web browser 301 and/or 302.
Testing online, using below two tool to check this so far:

May I ask you to check if SSL settings is at Flexible SSL under the SSL/TLS tab of Cloudflare dashboard for your domain?, which is a know cause of this redirect loop (and mixed content too).

More about it here:

Otherwise, if it’s not Flexible SSL, then something about 301 HTTP to HTTPS redirection at your origin host/server → maybe some htaccess rule or something similar to check.

  • hopefully you are not using some Page Rule to achieve 301 redirection?

I revoked the prior cert. I am sure I did the correct one because I saved it as a word doc.

It is Full Strict now… and I am back to getting 525 error

I will not make any changes until I hear back from someone. I do not want to change it while some one is checking it.

This is something else weird…

CRAZY… Using the TV computer, which had a 524 error, I refreshed and got a 525 error and refreshed and got a partial load, some images missing, refresh again and now it is there with fewer pics missing,

And after a couple refreshes… they are all back.

Without changing anything in Cloudflare— Main page opens with HTTPS,

Link gets a warning of not secure with HTTPS crossed out.

Trying to Log In to Word Press — also has warning of not secure with HTTPS crossed out.

Can you click on Advanced for that Cert warning and show us what it displays? I’d like to see what it thinks the certificate is issued to.

Advanced for Cert… Where in cPanel or Cloudflare? I did not see it in either.

But this might be the/a issue. In cPanel I went to Manage SSL, I browsed for Certs and came across this. The DOT is on the self signed Cert.

Should I move it to Cloudflare? It seems like that might be the issue.

This one here: