I renewed my certificates to day and now I’m getting almost nothing but 525 errors on my website. I host my DNS on Cloudflare and I see they have a notice posted that Let’s Certify isn’t compatible as of Sept 30th. So by renewing my certificates I have essentially shut down my website. Is there a solution or do I need to find a new certificate authority? I need to solve this FAST.
Turning off the Proxy seems to have mostly stopped the 525 errors. There are still a few but at least the site is up again. I’ll need to read their notice about Lets Certify more closely now that my store is at least back online.
Jerry, “Let’s Certify” isn’t a thing. There’s Let’s Encrypt (the Certificate Authority who issue certificates) and Certify Certificate Manager (our app that helps you manage and renew certificates).
Please link to the notice from Cloudflare so we can interpret it. Let’s Encrypt is compatible with most things, it’s the largest CA in the world.
There’s undoubtedly a problem, but it’s specific to your configuration so we’d need to know the domain at least to try to answer a question.
What web server software do you use? You mentioned pfSense in your previous thread, is that forwarding to a web server or does it “terminate” ssl for you (e.g. things like HAProxy)?
Most people are just using IIS on windows, but I suspect you are using something else.
My guess is that your current SSL configuration is not valid, e.g. pointing to non existent certificate files or just not configured for https on port 443.
Please provide as much detail as you can, otherwise we have to guess stuff.
You are right of course, it’s Let’s Encrypt. I was more focused on actually getting my website back up than I was the accuracy of my post. We were down the better part of the day. In the end Volusion has a solution they strongly recommend to insure the 525 errors go away. We’ll use their certificates with Cloudflare so the site stays up and running.
I understand Let’s Encrypt is big. Volusion is big. I’m small. The issue seems to be between the two big companies since I host on Volusion. The only things on my servers are email and images used by the website, which are cached on Cloudflare, another big player.
We’ll continue to use Certify The Web for our internal servers. The link to the Cloudflare notice is https://dash.cloudflare.com/8df693ed67c36ec4c6eeaad48137abff/cds.com/ssl-tls/edge-certificates
My web host is Volusion. The only part of the website we host internally are the images that are used on the web pages, which are cached in Cloudflare. So when you go to our site you’re on a Volusion site, not one hosted on IIS locally.
pfSense is running in passthrough mode in front of our mail server, the site images server, the ftp server, and our internal network. It is not acting as a router etc. And it’s not involved in the errors on the website since those are hosted on Volusion.
I mentioned the pfsense because when we were having problems renewing our Certify the Web certificates it was suggested that it was the reason they weren’t renewing. That was NOT the case however but we totally bypassed it for a bit just to prove that wasn’t the problem. In the end we did find the problem to be a misconfigured authorization. We were missing the * on the front of the domain names and we had not set up each zone as we thought the global authority would cover all domains, which it doesn’t. Again, pfSense wasn’t at fault. pfSense doesn’t forward or route any traffic in this mode.
I don’t really understand how Certify The Web was able to get the certificates in the first place, then later pass the testing, but then not actually be able to renew the certificates that it had generated, but that problem was solved in another thread.
The webserver (this thread) is a different issue and it’s between the big companies Volusion, Cloudflare, and Let’s Encrypt. Volusion claims the problem is Cloudflare and Cloudflare says they aren’t their certificates. IF I’m reading it right (and I may not be) it sounds like Let’s Encrypt ended an old type of certificate that almost everyone wasn’t using any longer anyway.
You wouldn’t think it would have an effect on me since I just started using Let’s Encrypt a few months ago. However… my website was up and running and life was good except for not getting as many orders as we’d like. And then it came time to renew our certificates in Certify The Web. After solving the configuration glitch mentioned above they renewed without problem. And that’s when the website went dead with nothing but 525 errors.
Several hours later we managed to get the site live again by turning off all the proxies in Cloudfare. In the meanwhile Volusion sent us some DNS entries they want us to add so that they can use Cloudflare certificates with our site, which they say will end the 525 errors the rest of the way (we’re still seeing some but if you reload the page a time or two the page eventually loads). I’ll be loading those acme-challenge DNS entries today. They will be sending some A records over as well once that’s done but I don’t know what they contain. They say my site will then be on “the new server infrastructure” and will no longer have the 525 errors. Of course the images loaded onto those pages are still under our Certify The Web certificates so maybe the pages will load but the graphics will have problems? Not sure.
Thanks for the information Jerry. Glad you got it working now. I’m afraid I don’t know anything about Volution to help. I can generally tell you if a service on the public internet is using valid SSL or not, but not if it’s proxied behind something else (because I can’t see it to check).
In general, the first service that answers a request (e.g. Cloudflare) is the one that’s “terminating” TLS (providing the certificates and the secure connection). When you switch off proxying in Cloudflar that means you skip the cloudflare TLS and go directly to the service at your IP address instead (self hosted Windows or Volution? I can’t tell).
That makes sense. Cloudflare caches much of my site so they’d be the one that answers most requests. If it’s not in their cache it pulls information from both Volusion and my images server. All three services are set up with TLS. Perhaps when the proxy is turned off it’s no longer pulling from the cache at Cloudflare and therefore not using their TLS? While that seems to have stopped the errors, if that’s the case it’s going to increase my bandwidth charges from Volusion since the information on their machines would no longer pull from the Cloudflare. The images aren’t a big issue because I don’t pay for bandwidth on that server.
I guess I’ll find out. At least the site is up and running currently, Thank you everyone for your help.
It’s probably also worth looking at cloudflare image storage, which should be very cheap.
Yes when you turn off proxying you will miss out on caching.
Interesting prospect. I didn’t know this was something Cloudflare offered so thank you for that. The idea of modifying all those hyperlinks is pretty daunting. I wish there were an automated process to grab all the images and modify the URL to the Cloudflare links then spit the html back to me so I could just replace all the pages. It would take a pretty long time to hand modify all those hyperlinks. There are thousands of images on the site with several being used on multiple pages.
What do your current image URLs look like and how are they stored? Is it all static HTML or is it generated from a database?
The images are static but the pages are generated by Volusion from a template. The images placed in that template are static html references.
Since turning off the proxy in Cloudflare everything is now loading. At first there were a couple glitches, probably as the caches emptied or something. But now all the pages are loading fine. And Cloudflare is making some sort of change in the certificates so that my site will be hosted on a different server at Volusion that has certificates to my site. I had to add some acme lines to my DNS for them to accomplish this. Anyway, it looks like my problem is solved.
I’ll look into the Cloudflare images some more as I get time because that sounds interesting to me. Who knows, maybe I could just change where the images dns points and copy the entire directory.
1 Like