Why I can not use ssl full(strip)model

I have a SSL certificate on my vps,I can use ssl flexible model on Cloudflare ,but when I use full (strict)model, it show 521 error
what should I do now


You need to install an Origin certificate in your server. Go to https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin and create an origin certificate. For the algorithm, I would suggest ECC. For the certificate duration, I use 1 year (you’ll need to renew it more frequently, but it is a lot more safer).

Then, the certificate and private key will appear. You need to install them on your server. After that, the problem should be fixed. If not, please specify your domain (if possible), so that we can provide more help with your issue. Thanks.

Please make sure your webserver/VPS is answering requests on port 443.

In Full & Full (Strict) mode Cloudflare sends requests encrypted to the origin to port 443, not to port 80 anymore. Just make sure your webserver will answer these requests and also responds with a valid SSL cert.

But generally speaking, error 521 means “Web server is down”.

1 Like

thank you for your reply
I have a Let’s encrypt ssl certificate on my vps, and I use certbot to manage Cloudflare api to renew it auto,I use the command “certbot renew --dry-run”, it runs well,no error.but I still receive 521 error when I use the full(strict) model.
my domain is sandartgift ,because this reply cannot contain link so you can add a “com” after my domain

so I should open 443 port on my vps .is that right?

Not just opening it, but serving your websites through this port.

That means, also configuring your webservers to handle incomming traffic on this port. But this really is too much to explain in text, so someone could understand it. Just setup your VPS to serve through port 443 and this should be solved.

my vps isinstall centos7 ,I use this command to open 443 port:
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

it show success
but it is still 521 error

Like I said, this is beyond what this community is made for. As Cloudflare does work properly and the error clearly points to your server, you will need to fix that on your server, but this is not related to Cloudflare.

Also, unblocking the port 443 is not enough, you need to serve requests through this port with your web server.

Please find a general IT support forum (Stackoverflow etc etc) which are handling general IT problems and how to make a web server serve under port 443 (encrypted traffic). But as there are just too many variables that will influence this, this forum is the wrong place to search for help, on how to set up your origin properly.

If you find any error that is related to Cloudflare, feel free to open a new thread. General advice: please make sure, your site work properly BEFORE adding it to Cloudflare - alternatively you can unproxy :grey: the respective DNS entries and make it work properly with HTTPS, then proxy :orange: it again and set the SSL mode to “Full (Strict)”.

I would personally ask this question in ServerFault. Since Stackoverflow is for developers and, you know, you’ll get a ranty reply saying that it’s off-topic.

1 Like

ok I will ask stackoverflow

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.