New 525 Error

Yeah, but when it loaded, it was without the ‘www’. Maybe the server doesn’t have a cert that covers *

That’s why I wanted to see what “Advanced” revealed.

Did you see my comment about cPanel and it looks like Cloudflare Cert is not Active

I may have skimmed it a bit too quickly, but it’s making some more sense now. Does it let you select the other one that’s the Cloudflare Origin cert? That one looks like it should cover everything that would work in Full (Strict) mode.

I do not think that is the issue.

I can select it and it shows up in the area where I pasted it… if I open up browse Cert, it defaults to the self sign.

You mentioned * This is what it show on Cloudflare.

I turned on Always Use HTTPS— cleared the cache in browser. Went to the site— got 525 error, refresh—got partial load, refresh full load

I doubt this has anything to do with it. I occasionally see this error while on Cloudflare site. Not sure it if is an account related error or a page error.

That’s not the origin certificate. That’s an Edge Certificate.

As for the “Great News” message, I recall you may have removed your site from Cloudflare then re-added it. That would account for seeing this message until things settle in.

I see that the site is now using an Origin Certificate on the server with the correct hostnames.

It feels like we’ve done everything we can and are still stumped. Have you ever opened a Support ticket on this?

Ticket Here? Yes… they helped a few days ago. Seems they responded here I Thiink

I have the support e-mail…

[Cloudflare Support] 2359318 - FW: GoDaddy Issue Update

I’ve put this in the escalation queue. We’ll flag down anybody we happen to see online, as I’m certainly intrigued by what’s going on.

Thanks… I will not troubleshoot it any more for a while… so I am not changing it as they are researching it.

Tried this morning… 525---- refresh— ASCI looking partial page-- the partial load. This looks like a blank page, but it is a partial load, the Hero Image did not load… there are 60% of the images if you scroll down.

Someone pointed me to an existing escalation thread on your ticket. Support says they tried a “curl” command against the origin that showed the problem. They said it’s in your ticket. Can you paste that command here so I can test it? If it’s the IP address that ends in .246, please X out the numbers when you paste the command.

1 Like

I have pasted the information from 2-emails from 2 different people and XXX’ed out the IP addresses ending in .246. I did send the information from both to GoDaddy.


This was from M4rt1n on January 27

M4rt1n MVP '21 - '22




Please ask your SSL provider to point the domain to the correct hosting IP XXX.XXX.XX.XXX. Once it is done then the site will again link to the cPanel.

I will translate this for you.:

They say, you should login into Cloudflares Dashboard, then go to the DNS section and point your DNS entries to the IP XXX.XXX.XX.XXX (if not already). They claim, this will resolve the problem.

But that is not true, since running this curl command:

$ curl --resolve ‘’

curl: (60) SSL certificate problem: self signed certificate in certificate chain

More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

I previously also had this error:

$ curl --resolve ‘’

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection

and also:

$ curl --resolve ‘’

curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to

which lead me to thinking they:

don’t have a SSL cert for your domain

have a selfsigned one

After running:

$ openssl s_client -servername -verify_hostname -connect XXX.XXX.XX.XXX:443


depth=1 C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

verify error:num=19:self signed certificate in certificate chain

verify return:1

depth=1 C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

verify return:1

depth=0 O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

verify return:1

Certificate chain

0 s:O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

i:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

1 s:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

i:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

Server certificate




























subject=O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

issuer=C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

SSL handshake has read 2904 bytes and written 399 bytes

Verification error: self signed certificate in certificate chain

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated


Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 3296FB05911A1D6FD94944869B80BC5EC1D448552CBFD60649FCD0DF937C6164


Master-Key: 8B2B7D0A9B508BB349F2C2952A2E281A23A2CA72671CD3202C229385F12A5640556149EE6971CEBE0037366BE07D0788

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 - e5 00 36 e7 85 10 4f 0f-65 d0 84 b9 e6 f2 e2 8c …6…O.e…

0010 - d5 af 6e 27 ca 9d 0e 2a-00 4e 57 b6 4a 4c 36 80 …n’…*.NW.JL6.

0020 - 3b 72 26 89 f9 37 88 62-4e 19 55 78 01 8d 95 56 ;r&…7.bN.Ux…V

0030 - dc 71 f2 1c 34 5f 31 cc-00 82 2f a6 e0 9f ed 66 .q…4_1…/…f

0040 - 54 9a 88 0a 9d 04 bc ca-80 11 9f a4 e3 a3 92 15 T…

0050 - 1d d5 d1 1a 2d d4 81 dd-1d d4 c7 14 79 a1 aa 3a …-…y…:

0060 - b2 91 cf 3e 4f 31 50 f9-f3 31 1e 84 00 50 10 4a …>O1P…1…P.J

0070 - 96 24 d2 ee 0d 55 23 54-c3 3f f3 e5 6c 9f 23 04 .$…U#T.?..l.#.

0080 - 4b 5f f1 79 01 a7 0d c4-e8 0c 8e 2b 74 a9 e5 3d K_.y…+t…=

0090 - 7b 86 c2 ec 35 22 59 a7-0d ff 7b e6 e5 f8 cd b4 {…5"Y…{…

00a0 - 39 78 b6 e1 12 6d 69 07-40 ea d9 bb 60 c3 b2 7b 9x…[email protected]…`…{

00b0 - ae 37 9a e7 8a b8 68 75-7c 88 c6 20 d8 b2 81 44 .7…hu|… …D

00c0 - 9d a2 dc d0 74 48 d5 5c-3e 34 41 37 0e 30 a5 45 …tH.>4A7.0.E

Start Time: 1643318942

Timeout : 7200 (sec)

Verify return code: 19 (self signed certificate in certificate chain)

Extended master secret: yes


Verify return code: 19 ( self signed certificate in certificate chain)

So your server indeed offers a Cloudflare Origin SSL cert. Normally this should work.

jochen (Cloudflare)

Jan 26, 2022, 2:05 AM PST

Hi Gary,

Thank you for contacting Cloudflare Support. I am sorry to hear that you are experiencing some difficulties here.

A 525 error indicates that the SSL handshake between Cloudflare and the origin web server failed. This only occurs when the domain is using Cloudflare Full or Full (Strict) SSL mode:
Error 525: SSL handshake failed

We would recommend you contact your hosting provider to exclude the following common causes at your origin web server:

No valid SSL certificate installed

Port 443 (or another custom secure port) is not open

No SNI support

The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server

In your case, it is evident that there is an issue with SSL on the origin server (please show this to GoDaddy, and they should be able to help you):

  • Expire in 0 ms for 6 (transfer 0x56360d0b5fb0)

  • Trying XXX.XXX.XX.XXX…


  • Expire in 200 ms for 4 (transfer 0x56360d0b5fb0)

  • Connected to XXX.XXX.XX.XXX (XXX.XXX.XX.XXX) port 443 (#0)

  • ALPN, offering h2

  • ALPN, offering http/1.1

  • successfully set certificate verify locations:

  • CAfile: none

CApath: /etc/ssl/certs

} [5 bytes data]

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):

} [512 bytes data]

  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX.XXX.XX.XXX:443

  • Closing connection 0

error: exit status 35

If you are only intermittently seeing 525’s, this suggests the TCP connection between Cloudflare and your origin is being reset during the SSL handshake causing the error.

In order to ensure that all requests from Cloudflare are accepted by your server over HTTPS, please make sure to:

Check if you have a certificate installed on your origin server. You can check this article for more details on how to run some tests: Gathering information. In case you don’t have any certificate, you can create and install our free Cloudflare origin CA certificate. Using Origin CA certificates allows you to encrypt traffic between Cloudflare and your origin web server.

Review the cipher suites your server is using to ensure they match what is supported by Cloudflare.

Check your server’s error logs from the timestamps you see 525s to ensure there is errors that could be causing the connection to be reset during the SSL handshake

If you are still not able to identify the cause, you can change the SSL mode to Flexible under the SSL/TLS tab in your Cloudflare Dashboard, so we do not connect to your server over port 443.

I hope this helps, however, if you have any more questions, simply reply to this email and we will be happy to help.

Best regards,

Jochen | Technical Support Engineer

I tried that as well, and when I paste the returned cert you show, it has the appropriate hostnames:

The only conclusion that makes sense to me is this:

The next thing I would try would be to :grey: that DNS record, then give it the five minutes to propagate before having QualysSSL test it for cypher suites. I’m not sure if that test will balk at the origin cert, but I’m hoping it will at least play along and do a full test anyway.

1 Like
  1. New finding….

If I refresh several times after getting the 525 error… the page will load. If I click on a link on the page (Single Page Website) I will get 525 again. Refresh 1-2 times the link opens, then all the other links work without 525.

Leave the page open for several minutes without scrolling…. The same thing happens again.

  1. I think I did what you said to do.

  1. I might not understand what you are saying… How can I not have an SSL Cert… if it shows up with a lock and HTTPS? Not sure how it works, but could it be bouncing between the 2 certs I see in cPanel?

  2. This is the current/active Cert and the 2 Certs on the server. Should I delete the Self Signed, leaving only the Cloudflare? It might make it hard to remove Cloudflare if there are no Certs to fall back on. I understand about 1/2 of what I just said. :slight_smile:

After changing the Type a to DNS only I got a BitDefender Warning that I needed to override to get access, but no 525

I then tried the same using Chrome… Clean Cache. Main page loaded without issue, but the link called prior got a 525. After a refresh, it loaded.

I wish Bitdefender would show you the untrusted certificate. That’s why I suggeset you run the Qualys SSL test. It should give you more info.

I just ran the Qualsy–saved as PDF. I can’t Upload it here. It shows a lot of issues. I will read it more carefully, but most is over my head.

Qualys SSL Report:

I think it shows two Cloudflare Certs–one expired in 2019. That is before I started using it.

I found this poking around in cPanel. The second part sounds relevant.


That first one ("Additional Certificate) looks bad. It’s expired. Did you add a Cloudflare Root CA cert sometime back?

I hope you can track that one down and replace it with this:

Or just flat-out delete it and see if that fixes everything, including this: