SSL Handshake Failed 50% of the time

Answer these questions to help the Community help you with Security questions.

What is the domain name?
apps.ptgms.space / ptgms.space

Have you searched for an answer?
Yes, no help found.

Please share your search results url:
Community Tip - Fixing Error 525: SSL handshake failed - Tutorial - Cloudflare Community
Error code 525, ssl handshake failed code - Website, Application, Performance / Security - Cloudflare Community
… and more

When you tested your domain, what were the results?
For the last few days

Describe the issue you are having:
Occasionally I get an SSL Handshake Failed Error.

What error message or number are you receiving?
525

What steps have you taken to resolve the issue?

  1. I tried changing between security options to no avail
  2. I tried setting Always Use HTTPS on/off numerous times.
  3. Tried using Origin Certificated rather than Lets Encrypt.
  4. Development Mode does not work
  5. SSelecting Security Option Flexible results in a Unknown Host Error. In my Serverlogs there are no errors and no trace of a connection - even with debug outputs.

Was the site working with SSL prior to adding it to Cloudflare?
I moved my server recently, it was always on Cloudflare and worked fine. Now it doesnt.
It works when i flawlessly when I pause cloudflare, but I need it on.

What are the steps to reproduce the error:

  1. Visit one of the sites
  2. Refresh a few times
  3. Profit

Have you tried from another browser and/or incognito mode?
Yes, same result.

image

Would greatly appreciate help because frankly, I am at a loss :frowning:

Thank you!

Could you check whether you have a Web Application Firewall (or similar security software/feature) at your origin server which might inadvertently blocking/dropping connections from Cloudflare IPs? You might want to add the CF-RAY header to your logs if you haven’t done so. You can then correlate the CF-Ray response header seen by the client/browser to the CF-Ray request header your origin server were seeing.

If this is the case, the connection dropping might explain the different 5xx Error seen. If your origin server/network dropped the connection before the TCP handshake completed, it may surface as 522 Error . Meanwhile, if connection dropped before the SSL handshake is completed, it will surface as sporadic/intermittent 525/526 Error. If the connection dropped after we sent our HTTP request, it might surface as 520 Error. And, if it happens after your server sent HTTP header and some content, it could be seen as Error 524.

Because Cloudflare operates as a reverse proxy the IP address your server will see is one of a limited number of Cloudflare IPs. In that sense, many actual visitors may all come from the same IP address, which can cause firewalls or security software that is not appropriately allow-listing the Cloudflare IP ranges to block this traffic as it may see it as excessive or malicious. We publish a full list of our IP ranges here so that you can allow-list:

https://www.cloudflare.com/ips

I would make sure that your hosting provider confirm that the Cloudflare IP ranges listed in the URL above are fully allow-listed from any security software, firewall etc. to ensure there is no rate limiting or blocking of our edge servers. This should ensure that Cloudflare can consistently make a connection to your origin server to retrieve content and serve it to your visitors.

Cloudflare is a reverse proxy, so when someone visits your website while you’re using Cloudflare the visitors would appear to be coming from our IP addresses. You can resolve this by using the cf-connecting-ip HTTP Request headers we send along to be used on your security software.

I hope you find this helpful and helps you find whatever is blocking Cloudflare’s requests and resolve the issue. Here’s a similar example from Cloudflare Community: https://community.cloudflare.com/t/intermittent-525-ssl/275060/33

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.