SSL error 520

I have a site that I have migrated to a pi 4/Debian on Virgin media. It is set for flexible SSL and 2 SSLcheckers validate the certificate as valid and grade B (see below) It is proxied by CF.

strong text on my VM router I have ports 80&443 open. Doing an external port scan, it shows 443 as closed. I believe VM are doing some kind of DNS filtering/port blocking.

Now it is my understanding that a flexible CF SSL cert operates between a user browser and CF only, and that it is only my connection between my site and CF operates on port 80.

Is this understanding correct?

If I am correct
why would I get Error 520

Ray ID: 61c5d547bd66064c • 2021-02-04 16:40:23 UTC

strong textand the site doesnt load.

If I remove the flex SSL and proxy, it works,

All help appreciated, I use to have a good head of hair

### resolves to
### Server Type: cloudflare
### The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

The certificate will expire in 173 days. Remind me|
||### The hostname ( is correctly listed in the certificate.|

\ 128x128 Common name:
SANs: *,,
Organization: Cloudflare, Inc.
Location: San Francisco, CA, US
Valid from July 27, 2020 to July 28, 2021
Serial Number: 0ffbc299b6eb20f6c819dccbff6f62b2
Signature Algorithm: ecdsa-with-SHA256
Issuer: Cloudflare Inc ECC CA-3
\ 48x48
\ 128x128 Common name: Cloudflare Inc ECC CA-3
Organization: Cloudflare, Inc.
Location: US
Valid from January 27, 2020 to December 31, 2024
Serial Number: 0a3787645e5fb48c224efd1bed140c3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: Baltimore CyberTrust Root

Then that’s the problem. Your server needs to be working fine with a valid certificate before even considering Cloudflare.

That’s also a problem. With Flexible you have an insecure setting with no encryption whatsoever. It should be “Full strict”.

I have tried many times to get certbot to engage with apache, but it also fails with http and dns challenges. I presume this is port 443 issue, not withstanding both ports 80 443 are open/ port forwarded on my router. Also ports are enabled with ufw on the internal address.

The pictogram on cf suggests ssl encryption between the user browser and the cf certificate should work and this certificate is valid according to the qualys ssl checker.

Im not to concerned about lack of encryption between between my website and CF. The only item which could be intercepted is 1 set of logon creds and 2fa is in place.

So the question i need clarifying does my website need to be available on 443, as the only connection is between site and CF?

I thought the idea behind flex ssl was to mask the lack of a genuine cert, which will require port 443.

Thanks for reply

Then you should switch it to Off and disable it altogether.

You can also get an Origin certificate issued instead.

The problem with an origin certificate, is that it will not work because port 443 is blocked by my isp, I suspect with DNS filtering.

From CF docs at CF support they say

“The Flexible SSL option allows a secure HTTPS connection between your visitor and Cloudflare, but forces Cloudflare to connect to your origin web server over unencrypted HTTP. An SSL certificate is not required on your origin web server and your visitors will still see the site as being HTTPS enabled.”

My unencrypted port 80 is live, only if I disable the CF flex SSL and the CF proxy

In effect I am answering my own question, but i was hoping somebody could respond to the CF 520 error.

Again thanks for the response, but in this particular instance full or full strict or Origin Cert will not work.

Then I’d highly suggest you get some proper hosting. You should not deceive your visitors and pretend to have a secure site when you don’t and Flexible is not secure per definition.

That’s not a very helpful reply.
I have been very polite, but don’t take umbrage, if the answers you give are not correct.
I don’t want to pay for “proper” hosting or an A+ certificate. CF has a flexible SSL solution, which should enable me to give my site a “virtual” SSL certificate. Which should enable my site to fall within google guidelines for decent SEO.

As for your suggestion I want to deceive visitors and pretend is just ridiculous.

As for being an MVP, i am not, however, I have spent 40 years as a professional IT consultant in networking and Cyber Security. I have a good understanding of SSL/TLS including the handshaking and encryption protocols. None of which is the issue here.

Visitors to this website cannot buy anything, cannot register, so there is nothing to be intercepted. I just want the flexible SSL cert to work with my website.

If anybody can help with the 520 error detailed above it will be appreciated.

Can you check to see if any of the HTTPS ports in this article are open through your ISP?

Another option would be to use Argo Tunnel to securely connect your Pi to Cloudflare.

The answer was absolutely correct. You cannot have a secure connection if you are not on Full Strict.

If you do not want SSL switch to Off, everything else is just lying to your visitors.

Hi sdayman

that looks like it will work, but this site is for my brother and right now his former business is in double jeopardy, Both Brexit and COVID jas reduced his income to zero. Money is tight. The Argo tunnel is chargeable. hence sticking it on the pi.

I could move it back to where it was and enable letsencrypt.

Cheers for the reply

Perhaps you should point this out to Cloudflare, they offer this useful service. Ask them why they are participating in a deception scheme for millions of users.

And you think there haven’t been such discussions?


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.