Random 520/525 Errors With Cloudflare Origin Cert


I have been getting random 520 and 525 errors on my site tips4gamers.com. I just noticed this a couple of days ago.

I contacted my host, SiteGround, and they have zero issues on their servers but have had many customers contacting them about the same issue.

  • I am using Cloudflare Origin Cert
  • I have Full (strict) enabled
  • I disabled the Always Online feature
  • Those errors go away if I delete the Cloudflare Origin CA and install SiteGround’s Let’s Encrypt.
  • SiteGround has confirmed they have Cloudflare IPs allowlisted
  • It’s completely random and does not happen all the time.
  • I have been using the Cloudflare Origin CA for a couple of years now with no issues like this.

I will click around in the WP Dashboard or the front end of my site and I will be slapped with a 520 (mainly) and sometimes a 525 error.

Since it seems to be common from what I am hearing, are there any issues with Cloudflare at the moment?

Below are the screenshots I took of the errors:

I’m very skeptical here.

You can try something like for i in {1..100}; do echo -n "Test $i: "; date; curl -sv https://example.com -o/dev/null --connect-to ::actual-server-ip --cacert FILENAME; done > curltest.txt 2>&1 to bypass Cloudflare and see if the problem still occurs.

Download the CA cert from here: Origin CA certificates · Cloudflare SSL/TLS docs
Then replace FILENAME with the path/name of the CA cert, example.com with your domain and actual-server-ip with the servers IP address.

Replace the 100 with whatever, depending on how often the error occurs. If it still happens when bypassing Cloudflare, the problem is definitely not with Cloudflare.

1 Like

I appreciate the feedback. There seems to be something wrong with that command since I am getting a ParserError in Line 1 - Missing opening '(' after keyword 'for'. and Variable reference is not valid. ':' was not followed by a valid variable name character. Consider using ${} to | delimit the name.

I think that is a Windows error. The command is posted is a Linux command.

curl is available for Windows though, so if you install it, you could probably try spamming the curl command a few times, the loop syntax will obviously not work.

curl -sv https://example.com --connect-to ::actual-server-ip --cacert FILENAME

Otherwise, you could tell me your server IP in a private message if you want and I could run the script for a test.

Gotcha, I have Fedora on my laptop, I’ll do it on that.

So I ran that curl command and what am I supposed to see that is wrong? Does it say refused to connect?

I am getting 301 - Moved Permanently, server information, content-length and type, location, and X-Default-Vhost.

It tried the server-ip and connected. It also says:

schannel: failed to open CA file 'cloudflare': The system cannot find the file specified.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.tips4gamers.com port 443
* Connecting to hostname: IP
*   Trying IP:80...
* Connected to (nil) (IP) port 80 (#1)
> GET / HTTP/1.1
> Host: origin
> User-Agent: curl/8.0.1
> Accept: */*

So I will have to get with my host to figure out the filename.

I appreciate the help! Also, I don’t think I can send PMs.

The filename is the name of the Origin CA you downloaded in the previous step that I linked. Either you’re not running the shell from the same location where the file is in, or you maybe named it incorrectly?

I didn’t name it. I have had the CF Origin cert for a couple of years. Since this issue, I have reinstalled it a few times.

I import the CA through SiteGround’s Site Tools and it says the name is cloudflare origin certificate

That is not the CA certificate. The CA cert can be downloaded from the page I linked. It is not the certificate that you use on your server, but the one used to authenticate the Origin Certificate.

Anyway, I’ve run the test and didn’t find any problems with 100 repetitions. I’m now trying again with a few more. How often do you encounter the problem when visiting your site? And is it on any page or on specific ones?

Thanks for that!

So it was completely random. I would just click to different tabs in the WP Dashboard or front end of the site and I would get the 520/525 error.

Now, the error is gone for some reason. I don’t know what changed but I cannot get it to error out. I was getting the same errors in Site Health in regards to the REST API and loopback request. There is this post - Error 520: Web Server Is Returning an Unknown Error (Siteground hosting) - #13 by Seasoned - that showed the same error.

epic.network said to allow the server IP in the WAF, which I completely forgot about. I updated it to the new server IP, and deleted the old ones, then the errors in Site Health went away.

Other than that, I cannot replicate the issues anymore.

Also, SiteGround’s system says it’s an invalid CABundle. Not sure why it would all of a sudden say that when it worked fine a couple of years ago. SiteGround required it before but now it’s not a requirement so I just left it out when importing the new cert.

Well, you don’t really need the CA certificate for anything, unless you are specifically trying to bypass Cloudflare while still using the Cloudflare Origin Certificate, like I did for this test.

I wouldn’t break my head over why Siteground required it before but marks it as invalid now. It really doesn’t matter in this case.

And if it’s working again now, I guess we’ll never find out the actual reason for the problem. I’m just very skeptical when on the same day, multiple Siteground users encounter the same problem, and no one else, but they still claim the problem is not with them.

I mean, it’s possible, but I’d rather test that to be sure than just trust the customer support when they blame someone else, because they (not specifically Siteground) always do that in my experience, even if they KNOW the problem is on their side.

1 Like

Oh okay, that makes sense.

Yep, it’s unfortunate that we will not find out. I hope it doesn’t happen again. I was skeptical too, especially after the support tech told me it was being reported quite a bit with other users. I was on the lookout for other posts from people other than SiteGround to no prevail.

I contacted SiteGround several times before coming here because I felt it was on their end. I still feel like it was on their end. They probably got such an influx of people that they escalated it to the sys admins and it was properly investigated.

I really appreciate your help and expertise. I’m going to mark your first reply as the solution.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.