Requests to Lets Encrypt ACME server failed with 525 Origin SSL Handshake Error


I am writing a Worker script that automates the process of ordering new certificates from Lets Encrypt via its ACME API and completing the DNS challenges.

At first, the script requests to get a list of sub-service endpoints. The code can be simplified as:

addEventListener('fetch', event => {

 * Respond to the request
 * @param {Request} request
async function handleRequest(request) {
  const r = await fetch('')
  return new Response(await r.text(), {headers: r.headers})

In the preview of the online editor ({ACCOUNT_ID}/workers/edit/{WORKER-NAME}) or wrangler preview, it works as expected and returns a valid JSON. curl locally also returns valid output. But after being deployed (now at directly, it returns with an error 525 Origin SSL Handshake Error (i.e. Fetching the ACME API fails).

I did read the suggestions given by the community tip about the 525 error. But it does not apply well in my case. The ACME API is out of my control and I have no way to diagnose the problem. Could it be some restrictions by Workers or the ACME API of Lets Encrypt itself? Are there any workarounds or specific options I can/need tune?

Hi there,

Can you try redeploying your worker? If this doesn’t help, I’d recommend contacting Cloudflare Support in order to troubleshoot this issue.


Hi, TKlein. Thanks for your advice. I just attempted to re-deploy it multiple times and created new workers. But the problem still persists. I am opening a support ticket. :slight_smile:

1 Like

Hmm, I had this issue yesterday when I need to move a domain to SSL. I really couldn’t find a solution to the 525 issue, then after toggling the “orange icon” a few time, it just started working :man_shrugging:

What do you mean by “toggling the orange icon” @thomas4 ?

My issue: Fetch from AWS API Gateway fails from worker with Error 525 revealing the origin URL in error page - #8 by sebastienlorber

On the DNS tab, disable the orange cloud on your origin, wait at least 1 minute, then enable it again.

In my case, it could have been an invalid Let’s Encrypt SSL setting that caused the issue. Keep in mind that if you issue such certificates via http and then put Cloudflare in front, it might not be able to renew because the http endpoint could be redirected to https.

1 Like