Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Cloudflare "Error 525 SSL handshake failed" on Hetzner server
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Cloudflare "Error 525 SSL handshake failed" on Hetzner server

    JohnRoeJohnRoe Member
    edited February 3 in Help

    Hi. I have this weird issue since early January.

    I am hosting a domain on Hetzner server with multiple subdomains. Sometimes I got Error 525 SSL handshake error and usually a reload will make that error go away.

    I was using the same server, the same domain, the same Nginx configurations before this and I had to reinstall the server due to a problem and after that, I intermittently getting this 525 error code.

    What I have tried:

    • Upgrading and downgrading Nginx
    • Enabling debugging in Nginx log, nothing get logged when this error shows up
    • Deleting origin cert in Cloudflare and regenerate them
    • Using letsencrypt cert
    • Rebooting the server

    There are few other things but I cannot recall.

    I cannot think any differences between before and after reinstall. After reinstall, I got less files because I cleaned up, and I have IPv6 enabled. I disabled IPv6 before this and leave it enabled after reinstalling. I have tried allowing Nginx to only listen on IPv4, but it still happen.

    Also I can access my server fine without Cloudflare proxy. This issue only happen sometimes when I turn on the proxy.

    Anyone got an idea how to debug this? I have been patient for so long. I contacted Cloudflare but they suggest me to use FLEXIBLE **SSL Mode instead of **FULL which I am using now. I have no problem trying that but at least I want to pinpoint the cause first.

    Any thoughts?

    Thanks in advanced!

    Edit:

    • Hetzner auction server, 6TB Disk, 32GB RAM

    Sorry for my bad English

    Comments

    • isunbejoisunbejo Member
      edited February 3

      Increase the error log level on nginx,
      Increase value sysctl session time out,enable AES on CPU and Tune ssl on nginx :

      listen 0.0.0.0:443 rcvbuf=64000 sndbuf=128000 backlog=20000 ssl http2;
       ssl_session_cache     shared:TLSSL:30m;
      
    • @isunbejo said:
      Increase the error log level on nginx,
      Increase value sysctl session time out,enable AES on CPU and Tune ssl on nginx :

      listen 0.0.0.0:443 rcvbuf=64000 sndbuf=128000 backlog=20000 ssl http2;
       ssl_session_cache     shared:TLSSL:30m;
      

      I have enabled debug in nginx logging which is I believe the highest level. Nothing get logged when I am having the 525 error.

      I have applied the rcvbuf=64000 sndbuf=128000 backlog=20000 ssl http2 and will report to you later.

      Also I already have ssl_session_cache configured.

      Sorry for my bad English

    • @isunbejo Nope, still happening.

      Sorry for my bad English

    • @JohnRoe said:
      @isunbejo Nope, still happening.

      sysctl -a |grep tcp_keepalive

      http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html

    • Unfortunately no. These are the results:

      1. I am the owner
      2. I have a valid certificate. I also tried Letsencrypt cert
      3. Nginx is listening on port 80 and 443, both IPv4 and IPv6
      4. I have no idea what this is even after reading many explanation, but i assume it is property configured since I can load multiple domains with different certificates
      5. Tried
      6. This seems to be the issue I am having, but I don't know where to start troubleshooting
      7. I increased Nginx error log and nothing got logged when the error occurs
      8. When pausing, website can load fine. Still it is hard to confirm since this error randomly appearing. I also have a subdomain running with SSL without Cloudflare proxifying and it always load fine.

      Sorry for my bad English

    • I am currently using intermediate config of https://ssl-config.mozilla.org/

      Sorry for my bad English

    • webdevwebdev Member
      edited February 3

      try https://www.ssllabs.com/ssltest/

      try move ssl related config out of server tag

    • @isunbejo said:

      @JohnRoe said:
      @isunbejo Nope, still happening.

      sysctl -a |grep tcp_keepalive

      http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html

      This is the output

      net.ipv4.tcp_keepalive_intvl = 75
      net.ipv4.tcp_keepalive_probes = 9
      net.ipv4.tcp_keepalive_time = 7200
      sysctl: reading key "net.ipv6.conf.all.stable_secret"
      sysctl: reading key "net.ipv6.conf.default.stable_secret"
      sysctl: reading key "net.ipv6.conf.enp2s0.stable_secret"
      sysctl: reading key "net.ipv6.conf.lo.stable_secret"
      

      Sorry for my bad English

    • @webdev said:
      try move ssl related config out of server tag

      Remove then test on ssllabs or test on sslabs before and after?

      Tested before, Got A for all
      https://i.imgur.com/2la2lK1.png

      Sorry for my bad English

    • click inside and check Handshake Simulation, if you got A, then it's your browser issue, some old browser?

    • @webdev said:
      click inside and check Handshake Simulation, if you got A, then it's your browser issue, some old browser?

      It is not just me. My users, my Jellyfin, even support staff of Cloudflare can reproduce the error. Yes I have contacted Cloudflare directly and they say they can reproduce the error as well and we are still communicating through support ticket. But since I am on free plan, it is quite slow.

      When getting 525 error, there is no error logged in Nginx error_log. A few browser refresh would solve the issue temporarily in browser. On something that cannot be refresh like downloader, android apps like Trandroid, you need to wait until the error gone by itself.

      Sorry for my bad English

    Sign In or Register to comment.