Site stopped working on full/strict setting but works on flexible

Get error 525 all of the sudden and site is down.
Hostinger isnt very helpful (hey here is a free cloudflare partial setup). DNSSEC has been enabled for a year without issues. Restored a backup a while back but no issues then and I haven made any changes to the site. added JS guardian app on cloudflare and removed again, but thats about it.
tcckonsult.com

525 means your SSL certificate is no longer valid for some reason. Try to renew, or cancel it and issue a new one, at your origin. Perhaps your free (Let’s Encrypt etc) certificate has expired.

A 525 error is typically caused by a configuration issue in the origin web server when its SSL certificate is not properly set up. Review the suggestions in this Community Tip for advice & insight.

I saw a valid cert here.

I Just got a new certificate on hostinger, but it still doesnt work when turning on full/strict. Does it mess up due to DNSSEC ? I assume DNSSEC is using the old certificate for the DS and rest of the setup? https://dnssec-analyzer.verisignlabs.com/tcckonsult.com shows it working, hmm…

DNSSEC is a way to lock your Name Servers here to what’s listed at the registrar. It has no impact on SSL/TLS.

1 Like

ok, according to hostinger: "Perhaps you could use only our SSL without Cloudflare’s, as at the moment it seems like CF SSL is causing your issue. "

So i should revoke the cloudflare certificate ? and get a new one?

“Yes, you should disable the universal SSL on Cloudfalre, although, you would most likely need to use Flexible settings.”
Really?

Are you sure? It looks like your Let’s Encrypt cert expired on the 17th. The only certs currently valid for your domain are the Cloudflare Certs.

As a temporary fix, change from Full (Strict) to Full, which will allow the invalid cert to work until the LE cert issue is resolved.

2 Likes

Thanks, Contacted support again, It does seem like it did not get activated “Couldn’t enable Let’s Encrypt SSL - Acme challenge failed” I also get a lot of redirect errors on the page which are new… Site is only working on flexible setting , and then there are images broken due to the redirect errors

edit:
ok , found some issues and fixed them lets encrypt got stopped by cloudflare firewall (geoIP rules) and removing and adding my image redirects fixed the redirect errors.
I have only this weird script left that gives errors (asked about it in a different thread)


<script type="text/javascript">(function(){window['__CF$cv$params']={r:'5f5108479b04d13f',m:'6da06dc48b7d46d3eaa500567ad7b56aaf94e649-1605863368-1800-AazdZrzymdCNY8rarBNZxwTi9aCX0LlubTyKLmR8O3h5hegNei+oY/u5ZFYhcx1RxQLtwYPRWMZGb5pMdGKBOVLUmE2TcCamRL39xrKFC4lGCrokQ/QIaHsr9x5x+ZYZ+w==',s:[0x6bc20c61e2,0xc1dded2b09],}})();</script>

When trying to fix fw issues i hit the rate limit on lets encrypt so have to wait a week to try again, hopefully it works then.

Regarding that script, it doesn’t look familiar. Do you have any Apps from the Cloudflare Dashboard’s “Apps” section installed on your site?

I had JS Guardian app installed but removed it. I had a look at CSP and cloudflare article (https://support.cloudflare.com/hc/en-us/articles/216537517-Using-Content-Security-Policy-CSP-with-Cloudflare) and also removed everything under scrape shield as well

The only other thread that mentions this hints that maybe Bot Fight Mode or Bot Mangement is enabled.
Bot Fight Mode is in Firewall -> Settings (upper right corner)
Bot Management is in Firewall -> Tools (Paid Plans only)

Thanks, im on the freeplan.I turned off bot fight mode and set security level to medium but no change. It does go away after several reloads of the page for some reason

Then does it come back? If so, then I’m out of ideas and you should probably open up a new support ticket.

Yea , atfer clearing the cache or change to another browser it comes back.
I will open a support ticket, thanks again

1 Like