New 525 Error

I turned on Always Use HTTPS— cleared the cache in browser. Went to the site— got 525 error, refresh—got partial load, refresh full load

I doubt this has anything to do with it. I occasionally see this error while on Cloudflare site. Not sure it if is an account related error or a page error.

That’s not the origin certificate. That’s an Edge Certificate.

As for the “Great News” message, I recall you may have removed your site from Cloudflare then re-added it. That would account for seeing this message until things settle in.

I see that the site is now using an Origin Certificate on the server with the correct hostnames.

It feels like we’ve done everything we can and are still stumped. Have you ever opened a Support ticket on this?

Ticket Here? Yes… they helped a few days ago. Seems they responded here I Thiink

I have the support e-mail…

[Cloudflare Support] 2359318 - FW: GoDaddy Issue Update

I’ve put this in the escalation queue. We’ll flag down anybody we happen to see online, as I’m certainly intrigued by what’s going on.

Thanks… I will not troubleshoot it any more for a while… so I am not changing it as they are researching it.

Tried this morning… 525---- refresh— ASCI looking partial page-- the partial load. This looks like a blank page, but it is a partial load, the Hero Image did not load… there are 60% of the images if you scroll down.

Someone pointed me to an existing escalation thread on your ticket. Support says they tried a “curl” command against the origin that showed the problem. They said it’s in your ticket. Can you paste that command here so I can test it? If it’s the IP address that ends in .246, please X out the numbers when you paste the command.

1 Like

I have pasted the information from 2-emails from 2 different people and XXX’ed out the IP addresses ending in .246. I did send the information from both to GoDaddy.

Thanks…

This was from M4rt1n on January 27

M4rt1n MVP '21 - '22

3

2d

gary19:

Please ask your SSL provider to point the domain to the correct hosting IP XXX.XXX.XX.XXX. Once it is done then the site will again link to the cPanel.

I will translate this for you.:

They say, you should login into Cloudflares Dashboard, then go to the DNS section and point your DNS entries to the IP XXX.XXX.XX.XXX (if not already). They claim, this will resolve the problem.

But that is not true, since running this curl command:

$ curl https://www.dellazanna.com --resolve ‘www.dellazanna.com:443:XXX.XXX.XX.XXX’

curl: (60) SSL certificate problem: self signed certificate in certificate chain

More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

I previously also had this error:

$ curl https://www.dellazanna.com --resolve ‘www.dellazanna.com:443:XXX.XXX.XX.XXX’

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection

and also:

$ curl https://www.dellazanna.com --resolve ‘www.dellazanna.com:443:XXX.XXX.XX.XXX’

curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.dellazanna.com:443

which lead me to thinking they:

don’t have a SSL cert for your domain

have a selfsigned one

After running:

$ openssl s_client -servername dellazanna.com -verify_hostname www.dellazanna.com -connect XXX.XXX.XX.XXX:443

CONNECTED(00000003)

depth=1 C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

verify error:num=19:self signed certificate in certificate chain

verify return:1

depth=1 C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

verify return:1

depth=0 O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

verify return:1


Certificate chain

0 s:O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

i:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

1 s:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California

i:C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California


Server certificate

-----BEGIN CERTIFICATE-----

MIIEqDCCA5CgAwIBAgIUcEM5bMIirvYEvkldICLa5GPL3aowDQYJKoZIhvcNAQEL

BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw

MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y

aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh

MB4XDTIxMDcyMjIzMjQwMFoXDTM2MDcxODIzMjQwMFowYjEZMBcGA1UEChMQQ2xv

dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk

BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG

9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmZ1xZsiFyWsd/kxTnw4Fcro8Hr+dBtqAmYf0

OrV383qZYXGaSXezoZNSJR9iJXRgCuM0oRaouRl924Ej67aSUmx8uhI8cS/KGg0/

HF5vPfhp4fmVVKwGvkTgy8WV84nRMPwiICx4EAEYWX68vQnXdimUwS9RN8Q6FekI

al/+uI5mhbZQqZZRAznxGx+zUfRRnvqLWZFUQ2t+28SgesWp+ZE38xCfrv5UhZ7c

quUnfs3pTqLQqq2Aivxgxha7IEzz+q67GtUarT/UkxlidXKzC7/m9L/QcMCR+02U

QOMIjrCZl6jVrkI6XemybOHCgYgGplhA52wnIatSmVgtZM2UcwIDAQABo4IBKjCC

ASYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD

ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTRo1Kg04ozpOvtIxDhDv5BLd7o9jAf

BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw

MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j

YTArBgNVHREEJDAighAqLmRlbGxhemFubmEuY29tgg5kZWxsYXphbm5hLmNvbTA4

BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdp

bl9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACYDRHuPtbfAAxwI8uQlajCPCGHp

ArjtXU+YZHQ80we2fnEbC1iKGCOqO7fSGtlehwQsI6w2IBaHhS2I+Vm3cTS8MRn+

XreaJa2BJLL6LJhuWypC49CQdO132ruGADRAZQyyUjZPPxaDNmOBZl5C0hWi3LKq

Qdw0nuyqpE5f79WYOAanG/tHnvluNMb5bXfghh7RjTKYDezVLH0Yij95kZWdrj+L

imAVRcTgwnzuMXY5PACXG8oAeXzjR2ChfURfg4FGB5Y9jwwrwRc50Ropv4akdzqe

fpoVZzX/tnqGj7urp8hGS6V30jd7WPL2wa5qACkQt+tZ5YPiw4/srIE00MY=

-----END CERTIFICATE-----

subject=O = “Cloudflare, Inc.”, OU = Cloudflare Origin CA, CN = Cloudflare Origin Certificate

issuer=C = US, O = “Cloudflare, Inc.”, OU = Cloudflare Origin SSL Certificate Authority, L = San Francisco, ST = California


No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits


SSL handshake has read 2904 bytes and written 399 bytes

Verification error: self signed certificate in certificate chain


New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 3296FB05911A1D6FD94944869B80BC5EC1D448552CBFD60649FCD0DF937C6164

Session-ID-ctx:

Master-Key: 8B2B7D0A9B508BB349F2C2952A2E281A23A2CA72671CD3202C229385F12A5640556149EE6971CEBE0037366BE07D0788

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 - e5 00 36 e7 85 10 4f 0f-65 d0 84 b9 e6 f2 e2 8c …6…O.e…

0010 - d5 af 6e 27 ca 9d 0e 2a-00 4e 57 b6 4a 4c 36 80 …n’…*.NW.JL6.

0020 - 3b 72 26 89 f9 37 88 62-4e 19 55 78 01 8d 95 56 ;r&…7.bN.Ux…V

0030 - dc 71 f2 1c 34 5f 31 cc-00 82 2f a6 e0 9f ed 66 .q…4_1…/…f

0040 - 54 9a 88 0a 9d 04 bc ca-80 11 9f a4 e3 a3 92 15 T…

0050 - 1d d5 d1 1a 2d d4 81 dd-1d d4 c7 14 79 a1 aa 3a …-…y…:

0060 - b2 91 cf 3e 4f 31 50 f9-f3 31 1e 84 00 50 10 4a …>O1P…1…P.J

0070 - 96 24 d2 ee 0d 55 23 54-c3 3f f3 e5 6c 9f 23 04 .$…U#T.?..l.#.

0080 - 4b 5f f1 79 01 a7 0d c4-e8 0c 8e 2b 74 a9 e5 3d K_.y…+t…=

0090 - 7b 86 c2 ec 35 22 59 a7-0d ff 7b e6 e5 f8 cd b4 {…5"Y…{…

00a0 - 39 78 b6 e1 12 6d 69 07-40 ea d9 bb 60 c3 b2 7b 9x…[email protected]…`…{

00b0 - ae 37 9a e7 8a b8 68 75-7c 88 c6 20 d8 b2 81 44 .7…hu|… …D

00c0 - 9d a2 dc d0 74 48 d5 5c-3e 34 41 37 0e 30 a5 45 …tH.>4A7.0.E

Start Time: 1643318942

Timeout : 7200 (sec)

Verify return code: 19 (self signed certificate in certificate chain)

Extended master secret: yes


closed

Verify return code: 19 ( self signed certificate in certificate chain)

So your server indeed offers a Cloudflare Origin SSL cert. Normally this should work.

jochen (Cloudflare)

Jan 26, 2022, 2:05 AM PST

Hi Gary,

Thank you for contacting Cloudflare Support. I am sorry to hear that you are experiencing some difficulties here.

A 525 error indicates that the SSL handshake between Cloudflare and the origin web server failed. This only occurs when the domain is using Cloudflare Full or Full (Strict) SSL mode:
Error 525: SSL handshake failed

We would recommend you contact your hosting provider to exclude the following common causes at your origin web server:

No valid SSL certificate installed

Port 443 (or another custom secure port) is not open

No SNI support

The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server

In your case, it is evident that there is an issue with SSL on the origin server (please show this to GoDaddy, and they should be able to help you):

  • Expire in 0 ms for 6 (transfer 0x56360d0b5fb0)

  • Trying XXX.XXX.XX.XXX…

  • TCP_NODELAY set

  • Expire in 200 ms for 4 (transfer 0x56360d0b5fb0)

  • Connected to XXX.XXX.XX.XXX (XXX.XXX.XX.XXX) port 443 (#0)

  • ALPN, offering h2

  • ALPN, offering http/1.1

  • successfully set certificate verify locations:

  • CAfile: none

CApath: /etc/ssl/certs

} [5 bytes data]

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):

} [512 bytes data]

  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX.XXX.XX.XXX:443

  • Closing connection 0

error: exit status 35

If you are only intermittently seeing 525’s, this suggests the TCP connection between Cloudflare and your origin is being reset during the SSL handshake causing the error.

In order to ensure that all requests from Cloudflare are accepted by your server over HTTPS, please make sure to:

Check if you have a certificate installed on your origin server. You can check this article for more details on how to run some tests: Gathering information. In case you don’t have any certificate, you can create and install our free Cloudflare origin CA certificate. Using Origin CA certificates allows you to encrypt traffic between Cloudflare and your origin web server.

Review the cipher suites your server is using to ensure they match what is supported by Cloudflare.

Check your server’s error logs from the timestamps you see 525s to ensure there is errors that could be causing the connection to be reset during the SSL handshake

If you are still not able to identify the cause, you can change the SSL mode to Flexible under the SSL/TLS tab in your Cloudflare Dashboard, so we do not connect to your server over port 443.

I hope this helps, however, if you have any more questions, simply reply to this email and we will be happy to help.

Best regards,

Jochen | Technical Support Engineer

I tried that as well, and when I paste the returned cert you show, it has the appropriate hostnames:

The only conclusion that makes sense to me is this:

The next thing I would try would be to :grey: that DNS record, then give it the five minutes to propagate before having QualysSSL test it for cypher suites. I’m not sure if that test will balk at the origin cert, but I’m hoping it will at least play along and do a full test anyway.

1 Like
  1. New finding….

If I refresh several times after getting the 525 error… the page will load. If I click on a link on the page (Single Page Website) I will get 525 again. Refresh 1-2 times the link opens, then all the other links work without 525.

Leave the page open for several minutes without scrolling…. The same thing happens again.

  1. I think I did what you said to do.

  1. I might not understand what you are saying… How can I not have an SSL Cert… if it shows up with a lock and HTTPS? Not sure how it works, but could it be bouncing between the 2 certs I see in cPanel?

  2. This is the current/active Cert and the 2 Certs on the server. Should I delete the Self Signed, leaving only the Cloudflare? It might make it hard to remove Cloudflare if there are no Certs to fall back on. I understand about 1/2 of what I just said. :slight_smile:


After changing the Type a Dellazanna.com to DNS only I got a BitDefender Warning that I needed to override to get access, but no 525

I then tried the same using Chrome… Clean Cache. Main page loaded without issue, but the link called prior got a 525. After a refresh, it loaded.

I wish Bitdefender would show you the untrusted certificate. That’s why I suggeset you run the Qualys SSL test. It should give you more info.

I just ran the Qualsy–saved as PDF. I can’t Upload it here. It shows a lot of issues. I will read it more carefully, but most is over my head.

Qualys SSL Report: dellazanna.com

I think it shows two Cloudflare Certs–one expired in 2019. That is before I started using it.


I found this poking around in cPanel. The second part sounds relevant.

Capture

That first one ("Additional Certificate) looks bad. It’s expired. Did you add a Cloudflare Root CA cert sometime back?

I hope you can track that one down and replace it with this:
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca#4-required-for-some-add-cloudflare-origin-ca-root-certificates

Or just flat-out delete it and see if that fixes everything, including this:

I think GoDaddy’s “Certificate Authority Bundle: (CABUNDLE)” is the same term for Cloudflare Origin CA root certificate

If I remember correctly, I did not enter data in the CABUNDLE field. But it is filled now, not by me and it is different than the one I just downloaded from Cloudflare. Cloudflare Origin RSA PEM

I will delete it again… 1st leave it blank. see if that works.

Then fill it witd the D/Led on.

CORRECT-UPDATE…

I went back to do that and the CABUNDLE was blank this time.

This is something that I am sure is related.

On the main page of cPanel. It shows this, with a pop-up warning. Primary Domain (No Valid Certificate)

When adding new SSL (Install SSL) via cPanel, the 3rd field (CA Bundle) is for “Cloudflare CA root”.

  • on some cPanel websites, if I do not add it, I cannot install Cloudflare Origin CA certificate → it shows me warning and does not let me pass to install the SSL certificate without it (as far as cPanel does not have Cloudflare CA root certificate since before and as far as the Cloudflare Origin CA certificate is not trusted to cPanel)

This warning in cPanel “is normal” when using Cloudflare Origin CA Certificate, I see it too on few websites using cPanel.

1 Like

Does anything in the Qualsy SSL report point to the source of the problem? (Link). It say my Cloudflare Origin Certificate, with Exp. 2037 is not valid. There is a second Cert listed “Additional Certificates” that shows a " Cloudflare, Inc. / Cloudflare Origin SSL Certificate Authority Not in trust store" and expired in 2019-- before I ever used Cloudflare?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.