SSL handshake failed error code 525

I recently installed Ghost on Digital Ocean and I’m using Cloudfare to manage the DNS for this domain but I’m having issue with the SSL.

Here is the error I keep getting:

It appears that the SSL configuration used is not compatible with Cloudflare. This could happen for a several reasons, including no shared cipher suites.

How can I make the SSL on Ghost blog work with Cloudfare?

Sometimes it works without this error and some times this error shows up and it’s annoying for visitors.

How did you set up Ghost, Nginx and SSL? What are the SSL settings in Cloudflare, e.g., authenticated origin pulls?

1 Like

I followed the official guide here - How to install Ghost on Digital Ocean - Official guide to install Ghost.

SSL setting on Cloudfare is Full: Encrypts end-to-end, using a self signed certificate on the server.

SSH to the server and check if you can make an https:// request from the server itself.

I like the httpie tool for HTTP testing, but you could also use wget or curl.

Whenever I pause Cloudfare on the domain I start getting “site not secure” error on Safari and Chrome.

Running https and https with httpie returns this header followed by the HTML content of the home page.

HTTP/1.1 200 OK
Cache-Control: public, max-age=0
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Thu, 09 Feb 2023 11:02:22 GMT
ETag: W/"28da-XAZAD6KAG4iBMNDnDkZsEHoEq1g"
Server: nginx/1.18.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: Express

But site reachability is unpredictable when Cloudfare is disabled.

When you enable or disable Cloudflare, the DNS must be changing. DNS gets cached and can take sometimes hours for changes to be reflected. So after you turn Cloudflare on or off, you need to check if the DNS for the domain is resolving directly to the server or to Cloudflare.

From your laptop terminal:


You’ll get back an IP address. Does it belong to the server itself or to Cloudflare?

I recommend keeping Cloudflare off until the site is working. Setting it up at the same time makes troubleshooting more complex.

Yes I have completely disabled Cloudfare since the last reply.

dig returns the IP of the server itself.

Usually websites only have a single IP unless they are behind a load balancer.

Are you sure both those IP addresses are for the server? Can you SSH to both of them?

1 Like

Oh that’s true. Didn’t pay attention to the the two IPs. For some reason I’m not sure when that IP was added to the DNS and points to the same domain.

I have removed the second IP from DNS and just kept the one for the Digital Ocean server where Ghost is installed.

Do you think this one would solve the instability issues?


It’s definitely a possible source - when you get two DNS answers like that, the browser picks one rather randomly. Whether that’s the only problem remains to be seen once the old result clears the cache.

1 Like is loading for me now. :rocket:

1 Like

Yes it’s working now, even without Cloudfare :tada:
Haven’t seen an issue in a while.
Thank you guys.