Randomly started getting 525 errors
I usually have Full SSL enabled on my panel however recently I started getting 525. As a temporary work around I've set it to Flexible but I do kinda need it fixed. I talked to my hosting provider and they said they don't see anything wrong on their end. No changed were made before the error started showing. And upon inspection from myself I don't see anything wrong. I tried to contact Kristian Freeman via PM as I don't think the community would be able to help (no offence) but I guess he doesn't like responding.
Any help will be greatly appreciated!
15 Replies
Yea Flexible is not secure at all. It sounds like your certificate may have expired. If it's a valid trusted certificate you could pause Cloudflare/making the record dns-only (and waiting for propagation) and see what certificate is serving. If you have ssh access to the machine you could also try bypassing CF and using curl (command in the link below) to see if the certificate its responding with is actually valid:
https://community.cloudflare.com/t/community-tip-fixing-error-525-ssl-handshake-failed/44256
For secuirty reasons I cannot expose the server IP so ill try to see if i can see what certificate it serves when trying the server. The thing is this shouldn't be happneing. The certificate is still valid and is until 2033. Ill check now tho
Here is the result from the command:
curl -svo /dev/null https://www.hackingdumpdrive.org --connect-to ::SERVERIP 2>&1 | egrep -v "^{.$|^}.$|^* http.*$"
RESULT:
* Connecting to hostname: SERVERIP
* Trying SERVERIP:443...
* Connected to (nil) (SERVERIP) port 443 (#0)
* ALPN, offering h2
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
2033? Are you using a CF Origin Cert? Or self-signed?
self signed
error:0A000438:SSL routines::tlsv1 alert internal errorThat's a tls connection error. Very well could be related to your original issue, something missed configured on your origin (cipher mismatch, etc). You could try adding
-k in front of --connect-to but not sure if it would give any info since its failing in tls
You could see if
openssl s_client -connect ServerIP:443 -servername www.hackingdumpdrive.org gives any more helpful info (ctrl+c to get out after executing)
Cloudflare offers way more secure Origin Certificates (under SSL/TLS -> Origin Certs). They can last up to 15 years, and work with Full Strict. Flexible nor Full is secure on its own.cant use them on my hosting provider, have tried
ill run both now
but you can use self-signed? 🤔
yea
Ask tinkerhost not me lol
I mean the problem with full is anyone can mitm the connection and serve any certificate and it would accept it
if CF wasn't in the middle, browsers would reject that as insecure
just not secure, not the issue causing this though
CONNECTED(00000003)
4097D3A3BD7F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1584:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 326 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
openssl command ^
-k command too bigthe curl went through Cloudflare, looks like --connect-to was missing
doesn't matter too much, we saw the same error earlier and with open_Ssl
ssl alert 80 from https://www.rfc-editor.org/rfc/rfc5246#section-7.2
An internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue. This message is always fatal.Unless your host has a firewall blocking you but not CF, then you just tested what happens when you try to connect to your origin over https, just as Cloudflare would. It fails with an internal error, something wrong on the host's end. Maybe something simple
mh yea i thought it would be host end
ill ask to check the backend again
thanks
If your host doesn't understand the idea of testing and bypassing Cloudflare, you could perhaps setup a unproxied subdomain that would get the same cert and show that it fails direct
you may also want to consider a different host in general if they don't support a publicly trusted certificate or CF's origin cert. Your setup is not and would never be secure
yea just havent got the money to tho, i wanna
wanna make this site as secure as possible
i have tried my best
would be fitting if a site about cyber security is nice and secure lol
thanks for the help tho
ill look into some other providers
if i can find any
yea turns out you were right, there is a error on their end, they've forwarded the logs to a higher team so hopefully it should be fixed soon
thanks for the help in tracking it down
Yea just thought I should update everyone on whats going on, so it turns out that yea there was something wrong on their end. Something was causing a error in self-signed certificte creation, causing CF to refuse the connection. They are in the process in finding and fixing the bug