SSL handshake failed 525

I use Ubuntu 18.04 with NGINX configuration and try to SSL. I created the cloudflare certificate and use it in my nginx config.

server {
    listen 80;
    server_name easydonate.ru;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    ssl_certificate     /etc/ssl/certs/cert.pem;
    ssl_certificate_key /etc/ssl/certs/key.pem;

    root /var/www/easydonate.ru;
    index index.php;
    charset utf-8;
    server_name easydonate.ru www.easydonate.ru;

    location / {
        rewrite ^/.*$ /index.php last;
    }

    location ~ ^/index.php {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }

    location ~ ^/favicon\.ico { try_files $uri /index.php; }
    location ~ ^/sitemap\.xml { try_files $uri /index.php; }
    location ~ ^/robots\.txt { try_files $uri /index.php; }
    location ~ ^/humans\.txt { try_files $uri /index.php; }

    location ~ ^/storage/app/uploads/public { try_files $uri 404; }
    location ~ ^/storage/app/media { try_files $uri 404; }
    location ~ ^/storage/temp/public { try_files $uri 404; }

    location ~ ^/modules/.*/assets { try_files $uri 404; }
    location ~ ^/modules/.*/resources { try_files $uri 404; }
    location ~ ^/modules/.*/behaviors/.*/assets { try_files $uri 404; }
    location ~ ^/modules/.*/behaviors/.*/resources { try_files $uri 404; }
    location ~ ^/modules/.*/widgets/.*/assets { try_files $uri 404; }
    location ~ ^/modules/.*/widgets/.*/resources { try_files $uri 404; }
    location ~ ^/modules/.*/formwidgets/.*/assets { try_files $uri 404; }
    location ~ ^/modules/.*/formwidgets/.*/resources { try_files $uri 404; }
    location ~ ^/modules/.*/reportwidgets/.*/assets { try_files $uri 404; }
    location ~ ^/modules/.*/reportwidgets/.*/resources { try_files $uri 404; }

    location ~ ^/plugins/.*/.*/assets { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/resources { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/behaviors/.*/assets { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/behaviors/.*/resources { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/formwidgets/.*/assets { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/formwidgets/.*/resources { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/widgets/.*/assets { try_files $uri 404; }
    location ~ ^/plugins/.*/.*/widgets/.*/resources { try_files $uri 404; }

    location ~ ^/themes/.*/assets { try_files $uri 404; }
    location ~ ^/themes/.*/resources { try_files $uri 404; }
    location ~ ^/.well-known/acme-challenge { try_files $uri 404; }
}

After I go to http://easydonate.ru, I get 525 error. But after reloading page starts successful. After 3-5 minutes I get the same error which solves itself after reloading page again…

How can I solve this problem?

Your server does not respond with a valid SSL Cert.
Not that this is NOT a CloudFlare problem, therefor you normally shold search in a NGINX Forum. But let me try to help:

Also: you are NOT using CloudFlare as a Proxy (:orange:) between your origin Server and the Client.
You are just using it as DNS only (:grey:) which makes CloudFlare not taking any effect on your website, so I would please you to search somewhere for the solution (NGINX Forum) as this is not related to CloudFlare at all.

#SOLUTION: set easydonate.ru and www.easydonate.ru to :orange: as you are using a CloudFlare-Origin Certificate which do NOT WORK without the domain beeing proxied through CloudFlare.

See: https://www.ssllabs.com/ssltest/analyze.html?d=easydonate.ru&hideResults=on

1 Like

My DNS only dns record uses Proxy

I disabled Proxy to check if Let’s Encrypt certificate enabled.

Now I created the WildCard SSL certificate with the help of certbot-cloudflare for Ubuntu 18.04 but still have the same problem:

Now I have the SSL certificate:

What are your SLL settings?
Flexible?
Full?
Full (Strict)?

If your
see a 525 Error please first read here ==> Community Tip - Fixing Error 525: SSL handshake failed

This is definitely a incorrect setup SSL Cert.

Yes infront of CloudFlare but not behind. Everything after CloudFlare to your origin Server is not setup correct

I use Full SSL setting

Ok. Here you can read how exactly you can set up Lets Encrypt SSL Certs on Serverside:

But anyway this behaviour is very strange. I can confirm that first request is hitting 525 Error and after a hard-reload it works.
May you should open a Supportticket for this.

You tell me simple ways about creating SSL certificate and use it in nginx config. I already did this and now have own Let’s Encrypt certificate (not Cloudflare’s).
My problem is that I cannot even use the certificate generated by CloudFlare, let alone my own certificate from Let’s Encrypt. Anyway i get 525 error…

About this tip… I don’t know how to check if my origin server is properly configured for SNI and The cipher suites that Cloudflare accepts and the cipher suites that the origin server supports do not match.

Maybe you can help me?

I checked nginx for supporting SNI:
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled

And cipher:
[email protected]:~# openssl s_client -servername easydonate.ru -tlsextdebug -connect easydonate.ru:443 | grep ‘TLS’
TLS server extension “key share” (id=51), len=36
TLS server extension “supported versions” (id=43), len=2
TLS server extension “server name” (id=0), len=0
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = *.easydonate.ru
verify return:1
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
TLS session ticket lifetime hint: 64800 (seconds)

Well while I was inspecting your site you changed settings.
Before the problem was: having a CloudFlare-Origin Certificate withour proxying through CloudFlare, which will not work.

Now you set up a LetsEncrypt SSL and again turned on :orange: which changed the situation.

I would recmmend you to open a Support-Ticket here at CloudFlare and post the #Ticket ID here in the thread.

This behaviour is very inconsistent. I can reproduce the same error on my side. But from here I can not solve it. Hope you understand this.

One last possible thing I could imagine why the site after a reload again works is " Always Online" settings. Is this turned on?

If this does not work, try to set the “SSL Mode” to “Flexible” or “Off” and then again switch for “Full” or “Full (Strict)” as some people over HERE stated it worked for them.
But I can not help you here, sorry. If all this does not work, create a Ticket and let the support look into it

No, Always Online mode is off.

SSL Mode change, but “Flexible” and “Off” gives me “ERR_TOO_MANY_REDIRECTS”. Thanks for your help, i will create ticket

One last thing: is there any Firewall configurated on Serverside? If yes you should whitelist all CloudFlare IPs, as this could also cause abortion of the connection.

But all this recommendations are just simple quesses as I can not see any log/problem. May better stick with the support and as soon as you do have a ticketnumber post it here.

Firewall disabled in my server

[email protected]:~# sudo ufw status
Status: inactive

Ticked id: #2033791

This topic was automatically closed after 30 days. New replies are no longer allowed.