New 525 Error

CRAZY… Using the TV computer, which had a 524 error, I refreshed and got a 525 error and refreshed and got a partial load, some images missing, refresh again and now it is there with fewer pics missing,

And after a couple refreshes… they are all back.

Without changing anything in Cloudflare— Main page opens with HTTPS,

Link gets a warning of not secure with HTTPS crossed out.

Trying to Log In to Word Press — also has warning of not secure with HTTPS crossed out.

Can you click on Advanced for that Cert warning and show us what it displays? I’d like to see what it thinks the certificate is issued to.

Advanced for Cert… Where in cPanel or Cloudflare? I did not see it in either.

But this might be the/a issue. In cPanel I went to Manage SSL, I browsed for Certs and came across this. The DOT is on the self signed Cert.

Should I move it to Cloudflare? It seems like that might be the issue.

This one here:

This time when I went, I got the 525 error… refresh a few times and it loaded.


Yeah, but when it loaded, it was without the ‘www’. Maybe the server doesn’t have a cert that covers *.dellazanna.com

That’s why I wanted to see what “Advanced” revealed.

Did you see my comment about cPanel and it looks like Cloudflare Cert is not Active

I may have skimmed it a bit too quickly, but it’s making some more sense now. Does it let you select the other one that’s the Cloudflare Origin cert? That one looks like it should cover everything that would work in Full (Strict) mode.

I do not think that is the issue.

I can select it and it shows up in the area where I pasted it… if I open up browse Cert, it defaults to the self sign.

You mentioned *.dellazanna.com. This is what it show on Cloudflare.

I turned on Always Use HTTPS— cleared the cache in browser. Went to the site— got 525 error, refresh—got partial load, refresh full load

I doubt this has anything to do with it. I occasionally see this error while on Cloudflare site. Not sure it if is an account related error or a page error.

That’s not the origin certificate. That’s an Edge Certificate.

As for the “Great News” message, I recall you may have removed your site from Cloudflare then re-added it. That would account for seeing this message until things settle in.

I see that the site is now using an Origin Certificate on the server with the correct hostnames.

It feels like we’ve done everything we can and are still stumped. Have you ever opened a Support ticket on this?

Ticket Here? Yes… they helped a few days ago. Seems they responded here I Thiink

I have the support e-mail…

[Cloudflare Support] 2359318 - FW: GoDaddy Issue Update

I’ve put this in the escalation queue. We’ll flag down anybody we happen to see online, as I’m certainly intrigued by what’s going on.

Thanks… I will not troubleshoot it any more for a while… so I am not changing it as they are researching it.

Tried this morning… 525---- refresh— ASCI looking partial page-- the partial load. This looks like a blank page, but it is a partial load, the Hero Image did not load… there are 60% of the images if you scroll down.

Someone pointed me to an existing escalation thread on your ticket. Support says they tried a “curl” command against the origin that showed the problem. They said it’s in your ticket. Can you paste that command here so I can test it? If it’s the IP address that ends in .246, please X out the numbers when you paste the command.

1 Like

I have pasted the information from 2-emails from 2 different people and XXX’ed out the IP addresses ending in .246. I did send the information from both to GoDaddy.

Thanks…

This was from M4rt1n on January 27

M4rt1n MVP '21 - '22

3

2d

gary19:

Please ask your SSL provider to point the domain to the correct hosting IP XXX.XXX.XX.XXX. Once it is done then the site will again link to the cPanel.

I will translate this for you.:

They say, you should login into Cloudflares Dashboard, then go to the DNS section and point your DNS entries to the IP XXX.XXX.XX.XXX (if not already). They claim, this will resolve the problem.

But that is not true, since running this curl command:

$ curl https://www.dellazanna.com --resolve ‘www.dellazanna.com:443:XXX.XXX.XX.XXX’

curl: (60) SSL certificate problem: self signed certificate in certificate chain

More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

I previously also had this error:

$ curl https://www.dellazanna.com --resolve ‘www.dellazanna.com:443:XXX.XXX.XX.XXX’

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection

and also:

$ curl https://www.dellazanna.com --resolve ‘www.dellazanna.com:443:XXX.XXX.XX.XXX’

curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.dellazanna.com:443

which lead me to thinking they:

don’t have a SSL cert for your domain

have a selfsigned one

After running:

$ openssl s_client -servername dellazanna.com -verify_hostname www.dellazanna.com -connect XXX.XXX.XX.XXX:443

CONNECTED(00000003)

depth=1 C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

verify error:num=19:self signed certificate in certificate chain

verify return:1

depth=1 C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

verify return:1

depth=0 O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

verify return:1


Certificate chain

0 s:O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

i:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

1 s:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

i:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California


Server certificate

-----BEGIN CERTIFICATE-----

MIIEqDCCA5CgAwIBAgIUcEM5bMIirvYEvkldICLa5GPL3aowDQYJKoZIhvcNAQEL

BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw

MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y

aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh

MB4XDTIxMDcyMjIzMjQwMFoXDTM2MDcxODIzMjQwMFowYjEZMBcGA1UEChMQQ2xv

dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk

BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG

9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmZ1xZsiFyWsd/kxTnw4Fcro8Hr+dBtqAmYf0

OrV383qZYXGaSXezoZNSJR9iJXRgCuM0oRaouRl924Ej67aSUmx8uhI8cS/KGg0/

HF5vPfhp4fmVVKwGvkTgy8WV84nRMPwiICx4EAEYWX68vQnXdimUwS9RN8Q6FekI

al/+uI5mhbZQqZZRAznxGx+zUfRRnvqLWZFUQ2t+28SgesWp+ZE38xCfrv5UhZ7c

quUnfs3pTqLQqq2Aivxgxha7IEzz+q67GtUarT/UkxlidXKzC7/m9L/QcMCR+02U

QOMIjrCZl6jVrkI6XemybOHCgYgGplhA52wnIatSmVgtZM2UcwIDAQABo4IBKjCC

ASYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD

ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTRo1Kg04ozpOvtIxDhDv5BLd7o9jAf

BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw

MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j

YTArBgNVHREEJDAighAqLmRlbGxhemFubmEuY29tgg5kZWxsYXphbm5hLmNvbTA4

BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdp

bl9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACYDRHuPtbfAAxwI8uQlajCPCGHp

ArjtXU+YZHQ80we2fnEbC1iKGCOqO7fSGtlehwQsI6w2IBaHhS2I+Vm3cTS8MRn+

XreaJa2BJLL6LJhuWypC49CQdO132ruGADRAZQyyUjZPPxaDNmOBZl5C0hWi3LKq

Qdw0nuyqpE5f79WYOAanG/tHnvluNMb5bXfghh7RjTKYDezVLH0Yij95kZWdrj+L

imAVRcTgwnzuMXY5PACXG8oAeXzjR2ChfURfg4FGB5Y9jwwrwRc50Ropv4akdzqe

fpoVZzX/tnqGj7urp8hGS6V30jd7WPL2wa5qACkQt+tZ5YPiw4/srIE00MY=

-----END CERTIFICATE-----

subject=O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

issuer=C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California


No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits


SSL handshake has read 2904 bytes and written 399 bytes

Verification error: self signed certificate in certificate chain


New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 3296FB05911A1D6FD94944869B80BC5EC1D448552CBFD60649FCD0DF937C6164

Session-ID-ctx:

Master-Key: 8B2B7D0A9B508BB349F2C2952A2E281A23A2CA72671CD3202C229385F12A5640556149EE6971CEBE0037366BE07D0788

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 - e5 00 36 e7 85 10 4f 0f-65 d0 84 b9 e6 f2 e2 8c …6…O.e…

0010 - d5 af 6e 27 ca 9d 0e 2a-00 4e 57 b6 4a 4c 36 80 …n’…*.NW.JL6.

0020 - 3b 72 26 89 f9 37 88 62-4e 19 55 78 01 8d 95 56 ;r&…7.bN.Ux…V

0030 - dc 71 f2 1c 34 5f 31 cc-00 82 2f a6 e0 9f ed 66 .q…4_1…/…f

0040 - 54 9a 88 0a 9d 04 bc ca-80 11 9f a4 e3 a3 92 15 T…

0050 - 1d d5 d1 1a 2d d4 81 dd-1d d4 c7 14 79 a1 aa 3a …-…y…:

0060 - b2 91 cf 3e 4f 31 50 f9-f3 31 1e 84 00 50 10 4a …>O1P…1…P.J

0070 - 96 24 d2 ee 0d 55 23 54-c3 3f f3 e5 6c 9f 23 04 .$…U#T.?..l.#.

0080 - 4b 5f f1 79 01 a7 0d c4-e8 0c 8e 2b 74 a9 e5 3d K_.y…+t…=

0090 - 7b 86 c2 ec 35 22 59 a7-0d ff 7b e6 e5 f8 cd b4 {…5"Y…{…

00a0 - 39 78 b6 e1 12 6d 69 07-40 ea d9 bb 60 c3 b2 7b 9x…[email protected]…`…{

00b0 - ae 37 9a e7 8a b8 68 75-7c 88 c6 20 d8 b2 81 44 .7…hu|… …D

00c0 - 9d a2 dc d0 74 48 d5 5c-3e 34 41 37 0e 30 a5 45 …tH.>4A7.0.E

Start Time: 1643318942

Timeout : 7200 (sec)

Verify return code: 19 (self signed certificate in certificate chain)

Extended master secret: yes


closed

Verify return code: 19 ( self signed certificate in certificate chain)

So your server indeed offers a Cloudflare Origin SSL cert. Normally this should work.

jochen (Cloudflare)

Jan 26, 2022, 2:05 AM PST

Hi Gary,

Thank you for contacting Cloudflare Support. I am sorry to hear that you are experiencing some difficulties here.

A 525 error indicates that the SSL handshake between Cloudflare and the origin web server failed. This only occurs when the domain is using Cloudflare Full or Full (Strict) SSL mode:
Error 525: SSL handshake failed

We would recommend you contact your hosting provider to exclude the following common causes at your origin web server:

No valid SSL certificate installed

Port 443 (or another custom secure port) is not open

No SNI support

The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server

In your case, it is evident that there is an issue with SSL on the origin server (please show this to GoDaddy, and they should be able to help you):

  • Expire in 0 ms for 6 (transfer 0x56360d0b5fb0)

  • Trying XXX.XXX.XX.XXX…

  • TCP_NODELAY set

  • Expire in 200 ms for 4 (transfer 0x56360d0b5fb0)

  • Connected to XXX.XXX.XX.XXX (XXX.XXX.XX.XXX) port 443 (#0)

  • ALPN, offering h2

  • ALPN, offering http/1.1

  • successfully set certificate verify locations:

  • CAfile: none

CApath: /etc/ssl/certs

} [5 bytes data]

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):

} [512 bytes data]

  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX.XXX.XX.XXX:443

  • Closing connection 0

error: exit status 35

If you are only intermittently seeing 525’s, this suggests the TCP connection between Cloudflare and your origin is being reset during the SSL handshake causing the error.

In order to ensure that all requests from Cloudflare are accepted by your server over HTTPS, please make sure to:

Check if you have a certificate installed on your origin server. You can check this article for more details on how to run some tests: Gathering information. In case you don’t have any certificate, you can create and install our free Cloudflare origin CA certificate. Using Origin CA certificates allows you to encrypt traffic between Cloudflare and your origin web server.

Review the cipher suites your server is using to ensure they match what is supported by Cloudflare.

Check your server’s error logs from the timestamps you see 525s to ensure there is errors that could be causing the connection to be reset during the SSL handshake

If you are still not able to identify the cause, you can change the SSL mode to Flexible under the SSL/TLS tab in your Cloudflare Dashboard, so we do not connect to your server over port 443.

I hope this helps, however, if you have any more questions, simply reply to this email and we will be happy to help.

Best regards,

Jochen | Technical Support Engineer