SSL handshake failed error code 525

I recently installed Ghost on Digital Ocean and I’m using Cloudfare to manage the DNS for this domain https://theboujeetrybe.com/ but I’m having issue with the SSL.

Here is the error I keep getting:

It appears that the SSL configuration used is not compatible with Cloudflare. This could happen for a several reasons, including no shared cipher suites.

Screenshot 2023-02-07 at 13.34.095344×2884 585 KB

How can I make the SSL on Ghost blog work with Cloudfare?

Sometimes it works without this error and some times this error shows up and it’s annoying for visitors.

How did you set up Ghost, Nginx and SSL? What are the SSL settings in Cloudflare, e.g., authenticated origin pulls?

I followed the official guide here - How to install Ghost on Digital Ocean - Official guide to install Ghost.

SSL setting on Cloudfare is Full: Encrypts end-to-end, using a self signed certificate on the server.

Screenshot 2023-02-09 at 01.41.302076×1276 215 KB

SSH to the server and check if you can make an https:// request from the server itself.

I like the httpie tool for HTTP testing, but you could also use wget or curl.

Whenever I pause Cloudfare on the domain I start getting “site not secure” error on Safari and Chrome.

Running https https://theboujeetrybe.com and https theboujeetrybe.com with httpie returns this header followed by the HTML content of the home page.

HTTP/1.1 200 OK
Cache-Control: public, max-age=0
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Thu, 09 Feb 2023 11:02:22 GMT
ETag: W/"28da-XAZAD6KAG4iBMNDnDkZsEHoEq1g"
Server: nginx/1.18.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: Express

But site reachability is unpredictable when Cloudfare is disabled.

Screenshot 2023-02-09 at 11.56.275344×2884 423 KB

When you enable or disable Cloudflare, the DNS must be changing. DNS gets cached and can take sometimes hours for changes to be reflected. So after you turn Cloudflare on or off, you need to check if the DNS for the domain is resolving directly to the server or to Cloudflare.

From your laptop terminal:

dig yourdomain.com

You’ll get back an IP address. Does it belong to the server itself or to Cloudflare?

I recommend keeping Cloudflare off until the site is working. Setting it up at the same time makes troubleshooting more complex.

Yes I have completely disabled Cloudfare since the last reply.

dig theboujeetrybe.com returns the IP of the server itself.

Screenshot 2023-02-09 at 13.34.221364×966 161 KB

Usually websites only have a single IP unless they are behind a load balancer.

Are you sure both those IP addresses are for the server? Can you SSH to both of them?

Oh that’s true. Didn’t pay attention to the the two IPs. For some reason I’m not sure when that IP was added to the DNS and points to the same domain.

I have removed the second IP from DNS and just kept the one for the Digital Ocean server where Ghost is installed.

Screenshot 2023-02-09 at 15.39.021364×966 154 KB

Do you think this one would solve the instability issues?

Thanks

It’s definitely a possible source - when you get two DNS answers like that, the browser picks one rather randomly. Whether that’s the only problem remains to be seen once the old result clears the cache.

https://theboujeetrybe.com/ is loading for me now.

Yes it’s working now, even without Cloudfare
Haven’t seen an issue in a while.
Thank you guys.