SSL Handshake Failed 525


As I’ve done every day for the last year or so, I opened up my 1500cals app to log my morning coffee to be greeted with a white screen with an error message! My first thought was I was pleased the error screen looked nice and was informative, but “525 error” wasn’t one I could instantly recognize, unlike the usual suspects like 501, 404, 503 etc

I pulled up the web version of the site at [] which was now showing a more helpful Cloudlflare error page indicating the issue was between cloudflare and my origin server. This meant for some reason the certificate on my server was not updated.

Compared to the old days, SSL certificate management these days is wonderfully simple thanks to the likes of Let’s Encrypt to the extent you can almost forget about it and the certificates renew automatically - until something goes wrong like today and they don’t!


In this case, the issue was down to how cloudflare can insert itself as a proxy and present a different IP - this is how it handles caching, optimization and security which are all amazing. Usually.

However, during certificate renewal for the origin server, this proxy means Let’s Encrypt can not validate via DNS and fails. After a lot of tinkering, as it turned out the solution was incredibly simple. I just had to disable this proxy in Clouldflare DNS, manually renew the certificate on my origin server, and then once it was issues in a few minutes re-enable the proxy.


If you’re following along, you may have seen the flaw in this solution. When my origin certificate expires in 12 months, this is going to re-occur. So we need a better solution. Let me know if you have one! For now, my solution is to write this blog post that I’ll no doubt be referring to next time this happens!

As always, don’t hesitate to drop me a note via twitter or any other channels listed here