No, your request failed with a response status of 400 or above

After my site went down astralcomputing[dot]com I found out that the LetsEncrypt certbot was no longer supported/working.
So, I used the option to create a “Origin Cert” in the SSL configuration panel in Cloudflare. I saved the key and the cert, and put them on my server and edited the ssl config to point to the new Cloudflare cert and key. So far so good. After restarting Apache, I can the see website in a web browser using https if I go directly to the IP address:
Note: the browser complains it’s not secure due to the cert being self-signed. You can view the cert and it looks ok, (from Cloudflare etc.) so I know it’s working directly.
BUT 0 if I access the website using the domain name (via Cloudflare) I get a timeout…
When I run the Cloudflare site diags, everything looks ok except the SSL diag and it reports an “error above 400”

Don’t know what to do from here other than to get rid of the Cloudflare “Origin server” cert and create a “real” one and install that from someone else… (like it was doing under LetsEncrypt before)

Any Ideas?

Thanks in advance,


Your SSL setup seems to be all right. Just make sure your encryption mode is “Full Strict”, otherwise your site would still be insecure.

As for the 400 message, I assume you set up a firewall rule, blocking everything but the US, right?

If you have such a rule, the message can be explained with the 403 you are getting from that block. The Virginia checkpoint actually loads fine, however there’s a timeout in New York.

I’ve had the firewall in Cloudflare set to US only and block other countries, since I started using CF a long time ago.
Never had any issue with that before. Did not make any changes there…

I did follow the instructions for the Origin certificate setup that included changing the encryption mode to “Full Strict” and that’s the way CF is setup now… From PHX metro area CF serves me up the “Wayback Machine” copy with the banner about being offline… or sometimes just times out.

But, from same location/laptop directly to the IP address I get the real website.
Also, I don’t have any issues with SSH directly to the iP

So, something seems to be wrong with the connection between CF and my site.


Well, that non-US block is why you get those 403s.

As for the New York timeout, that’s probably because you’ll be blocking certain Cloudflare addresses

Make sure the addresses at are not blocked on your server.

That does not make sense. The Cloudflare firewall has always been set this way.
Allow all from US and block all from non-US.
Has been working fine this way for years.

Well, apart from the New York issue, your site actually loads fine from the US.

Well, it does not according to the Cloudflare diagnotic page (as https) also I get a 522 error that flashes sometime…
The web hosting vendor says that the IP block I am in is currently unreliable and is switching me to a new address block.
Let’s see if that fixes the issue… will update as soon as that is done.
Thanks for the suggestions so far.

Sorry, but we are going here a bit in circles.

Of course, the request will get blocked, because you configured that block. Lift it and it will work.

As for the 522, I already addressed that in my previous replies.

Here’s a screen shot of the firewall log on Cloudflare showing my IP address as being allowed.
My web browser shows a 522 error page from CF and the diagnostic tool in CF shows a 403 error for SSL.


Ehm, I addressed both issues in my previous responses. Can you elaborate on what’s not clear?

I disabled the firewall in CF and that made NO difference.
My firewall rules are turned off right now and I get the same thing.

I have no blocking or firewall setup on the Origin Server…
.htaccess is “allow all”

My site is accessible EXCEPT through Cloudflare.

Still getting 522 errors in the browser and 403 errors in the CF diagnostics.


I am afraid that does not seem to be accurate. Now that you have disabled the Cloudflare firewall, the check actually passes.

I just turned off SSL to see if that would work. So your test passed, but the site is still not accessible via the domain name even as http (non encrypted)

I am sorry but you are really mixing things here.

  • Whatever SSL you disabled, enable that again
  • Make sure you are using Full strict
  • Disable all firewall rules

Post here once you have done that.

All right, as I mentioned hours ago :wink: with you not blocking non-US requests any more, it now works.

As for the 522 issue, that I also already addressed

I am not blocking anything anywhere now.
This is what I get in my browser:

Can we first agree that the 403 has been finally fixed?

The diag now shows all green checks. - but site is still not accessable through CF

Well, that was exactly what I mentioned hours ago :wink:

Just as I did with the 522 :wink: - the 522 happens for aforementioned reason because your server will be blocking certain addresses and you need to make sure the mentioned addresses are not blocked.

Virginia still works →