Requests to Lets Encrypt ACME server failed with 525 Origin SSL Handshake Error

Lotus · January 8, 2021, 5:08am

Hi.

I am writing a Worker script that automates the process of ordering new certificates from Lets Encrypt via its ACME API and completing the DNS challenges.

At first, the script requests https://acme-staging-v02.api.letsencrypt.org/directory to get a list of sub-service endpoints. The code can be simplified as:

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

/**
 * Respond to the request
 * @param {Request} request
 */
async function handleRequest(request) {
  const r = await fetch('https://acme-staging-v02.api.letsencrypt.org/directory')
  return new Response(await r.text(), {headers: r.headers})
}

In the preview of the online editor (https://dash.cloudflare.com/{ACCOUNT_ID}/workers/edit/{WORKER-NAME}) or wrangler preview, it works as expected and returns a valid JSON. curl https://acme-staging-v02.api.letsencrypt.org/directory locally also returns valid output. But after being deployed (now at https://red-surf-5c99.bamboo.workers.dev/) directly, it returns with an error 525 Origin SSL Handshake Error (i.e. Fetching the ACME API fails).

I did read the suggestions given by the community tip about the 525 error. But it does not apply well in my case. The ACME API is out of my control and I have no way to diagnose the problem. Could it be some restrictions by Workers or the ACME API of Lets Encrypt itself? Are there any workarounds or specific options I can/need tune?

TKlein · January 8, 2021, 10:42am

Hi there,

Can you try redeploying your worker? If this doesn’t help, I’d recommend contacting Cloudflare Support in order to troubleshoot this issue.

Best

Lotus · January 8, 2021, 12:24pm

Hi, TKlein. Thanks for your advice. I just attempted to re-deploy it multiple times and created new workers. But the problem still persists. I am opening a support ticket.

thomas4 · January 8, 2021, 12:44pm

Hmm, I had this issue yesterday when I need to move a domain to SSL. I really couldn’t find a solution to the 525 issue, then after toggling the “orange icon” a few time, it just started working

sebastienlorber · February 7, 2022, 7:03pm

What do you mean by “toggling the orange icon” @thomas4 ?

My issue: Fetch from AWS API Gateway fails from worker with Error 525 revealing the origin URL in error page - #8 by sebastienlorber

thomas4 · February 8, 2022, 6:21am

On the DNS tab, disable the orange cloud on your origin, wait at least 1 minute, then enable it again.

In my case, it could have been an invalid Let’s Encrypt SSL setting that caused the issue. Keep in mind that if you issue such certificates via http and then put Cloudflare in front, it might not be able to renew because the http endpoint could be redirected to https.

Topic		Replies	Views
Error: Origin SSL Handshake Error (525) Workers	14	4999	February 7, 2022
SSL Handshake issues with fetch Workers	21	5832	May 21, 2021
Connectivity problem with Let's Encrypt servers DNS & Network	17	2526	September 26, 2022
Issue with let's encrypt General	1	764	September 14, 2023
SSL Handshake failed with origin server, code: 525 Workers	2	2390	June 2, 2021

Requests to Lets Encrypt ACME server failed with 525 Origin SSL Handshake Error

Related topics