Network error with outbound fetch() requests (some domains working, others not)
When using fetch() requests on Cloudflare, we now experience "error code: 525" for the past 4 days on certain worker custom domains, not the
workers.dev domain.
https://keyauth.win/psdb - error code: 525
https://keyauth-worker.agentreachout.workers.dev/psdb - success (no SSL error)
https://prod.keyauth.com/psdb - success (no SSL error)
The URLs above request this API https://aws.connect.psdb.cloud/psdb.v1alpha1.Database/Execute which doesn't use Cloudflare (workers changed the "server" header, Planetscale confirmed they don't use Cloudflare)
It happens with other non-Cloudflare sites too. Example: https://text.myip.wtf/
I deployed a plain Javascript, no framework example requesting text.myip.wtf and it's the same problem
https://vanilla.keyauth.win/ - error code: 525
https://ssl-testing-vanilla.agentreachout.workers.dev/ - success
Sounds similar to these issues. I've tried SSL mode Full it doesn't resolve anything. I do NOT own these external websites so I'm not sure how I would control the fact they work from some of my worker domains and not others.
https://github.com/cloudflare/workerd/issues/776
https://community.cloudflare.com/t/http-525-on-outbound-fetch/429778
Appreciate any help I may get ❤️ 3-4 million requests to my site are being dropped right now and Cloudflare Pro hasn't gotten me a response in 4 days from Cloudflare's team.10 Replies
This started 4 days ago, Cloudflare settings had not been touched for over a month before then
SSL mode of non-working domain (I've tried Full didn't change anything)
SSL mode of working domain. Seemingly the same
Also, both of the domains have SSL for SaaS enabled. But the non-working domain is possibly more attributed with the worker, idk if thats the cause of the issues 🤷♂️
the domain your Worker is being invoked on
you should have your SSL mode be Full (Strict)
also, you should always use Full (Strict)
Flexible is insecure
https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/
I understand & agree that Strict SSL is recommended.
However, it appears to have no bearing on the outbound fetch() requests Cloudflare is relaying on my behalf from Cloudflare Worker servers/infrastructure
This video was my 2nd time turning on Strict. the origin (non-worker) frontend site can't be reached, confirming Strict SSL is enabled. Yet the worker still fails to send that outbound
fetch() request to https://aws.connect.psdb.cloud/psdb.v1alpha1.Database/Execute
Hope this is looked into deeper. I pay for Cloudflare Pro on that domain and requests are failing on Cloudflare's network. My worker is NOT requesting my origin. It's requesting Planetscale (which Cloudflare supposedly supports with Worker integrations). And it's not unique to planetscale, it happens while requesting https://text.myip.wtf too (both Planetscale and this myip thing do not use Cloudflare)
https://community.cloudflare.com/t/http-525-on-outbound-fetch/429778/3
https://github.com/cloudflare/workerd/issues/776However, it appears to have no bearing on the outbound fetch() requests Cloudflare is relaying on my behalf from Cloudflare Worker servers/infrastructureIt does if it's a non-cf thing which as you mentioned it isn't here. Digging into your issue, I think what you're hitting is related to your config, I see the request being overriden to
api-worker.keyauth.win which is then failing the SSL verification for text.myip.wtf since well, they don't match
I'm not sure where that override is happening, I don't see a custom hostname for this, not sure if you're doing a resolve override in the Worker or have a rule doing it