Can't fix SSL Handshake Failure 525
When I Set my SSL/TlS to the full website doesn't load
It seems that Cloudflare Edge CDN servers can't make a SSL Handshake with my server or takes a lot to time
( I must refresh the page 10 times as fast as possible to get the page to load)
The error is 525 and every guide I read wasn't helping me
1. I tried pausing cloudflare then renewing my origin server ssl
And then activating Cloudflare
Didn't work
2. I tried Cloudflare origin server certificate and configured and installed it on my origin server
Didn't work, still a handshake error
My cert is valid on my origin server, when I pause cloudflare i can see my let's encrypt certificate well and up ( it's set up using AutoSSl)
The problem seems to be with Cloudflare edge can't making a connection to my host
Oh and my server is Cpanel based and the default ssl cert is from Let's encrypt
Please help and guide me if you can, it is appreciated
27 Replies
no one? sad desperate noises
Have you looked at https://developers.cloudflare.com/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-525-ssl-handshake-failed ?
Troubleshooting Cloudflare 5XX errors · Cloudflare Support docs
When troubleshooting most 5XX errors, the correct course of action is to first contact your hosting provider or site administrator to troubleshoot and …
this is my website enabled full ssl on cloud dash genshinclub.ir you guys can see you get ssl handshake failure - everything the docs is checke ( sni and cipher suite ) and yes i did
yes
Are there any logs on the server to show a failed handshake?
its a cpanel based host - i actually dont know how to accesss it can you help or guide?
I've never used cPanel so not sure either
Can you unproxy your site so I can see the certificate on the host
I mean I have this
On my mobile this is the client certificate
And I get this error
On my PC browser the certificate is cached with the one on the origin server for now and I don't get the error
Yeah sure
done
cloudflare is paused and you can see the host certificate
Is Authenticated Origin Pulls enabled? If so, can you try disabling it?
It was disabled from the start
Makes sense, just was one idea since that can cause handshake issues if the origin is not expecting it
I actually tried to delete my host default certificate
And install the Cloudflare origin certificate thinking maybe Let's encrypt is the issue
Didn't help
It became so worse I had to load backup on the host
the only solution is to set the ssl to flexible
but that wouldn't be solution it would be ignoring the problem
Is TLS 1.3 enabled? The origin may not support it
I did a number of tests against the domain and that was the most I could come up with so far
Do you have any firewalling on the server? It seems like some SSL checker tools are unable to reach it but some are
that too^
Yes it is enabled
I ran a cipher check and it said the origin is fine with it
I can try to disable it and then check
Its worth a try but I'd check firewall too as per what @Cyb3r-Jok3 says
https://www.ssllabs.com/ssltest/analyze.html?d=genshinclub.ir&hideResults=on
https://dnschecker.org/ssl-certificate-examination.php
https://www.geocerts.com/ssl-checker
All fail but
https://www.immuniweb.com/ssl/genshinclub.ir/tI0HfFF2/
https://mxtoolbox.com/SuperTool.aspx?action=https%3agenshinclub.ir&run=toolpage
https://www.sslchecker.com/sslchecker
all work
I see
Let me check
The hosting provider maybe did set a firewall
in response to this - i disabled tls 1.3 and set the minimum tls to 1.0 problem still persisted
I see
in response to this i think it was a problem with caching? since Qualys is working fine for me after disabling the proxy
i tried all of the above and all of them are showing my host certificate
it was probably a network bug after pausing cloudflare
im kinda thinking about giving up after trying to fix this for 12 hours
do you think the Flexible mode is safe enough to hide my data from Government monitoring system like iran and china? ( i know it came out of blue but a genuine question )
Flexible mode will encrypt data between your visitors and Cloudflare, but all data between Cloudflare and your origin server will be sent in plain text over the public internet. So probably not.
my only problem is the iranian goverment since cloudflare has no datacenter in iran and my origin server is located in germany do you think they might have a way to access the data between cloudflare and hetzner?
I couldn't tell you that, I can only tell you what Flexible mode does
i see - do you know anyone who might have a good idea or its just the comunity ToS to not talk about it
im new here so i might have missed noticing some rules
Its not a rule thing, I just don't have an accurate answer and if I did then it wouldn't be appropriate for me to give that kind of advice as an employee. Maybe someone else in the community might have more of an idea.
thanks for the help and the time you spent - i think i should make a different post about it - thank you too @Cyb3r-Jok3