Error 525 - SSL handshake failed

My website is showing a cloudflare 525 error.
I haven’t changed anything on cloudflare and webflow for a few weeks, and it was working fine up until a few days ago.
How can I fix this?
Here’s the screen shown for both https://breeze.im and https://www.breeze.im.

Thanks!

1 Like

We are only able to provision SSL certificates for your domain if it is directly pointed to our servers. What probably happened is the domain was originally pointed to us and we were able to generate the SSL certificate. Then, the domain was moved to point to cloudflare. Then, some time later, when the SSL certificate we generated expired, we were no longer able to re-generate it since the domain is not pointed to us anymore.

There are a couple options to fix this. If you point your domain directly to us, we should be able to generate an ssl cert and we can directly serve your site. Alternatively if you wish to continue using cloudflare, you can set the config for them to point to proxy.webflow.com instead of proxy-ssl.webflow.com and make sure you select the “Flexible” option in the cloudflare config.

2 Likes

Hey folks, sorry about this. This was an unintended side effect of a DDOS mitigation effort. This is now and should be working for you again (let me know if not). I’m sorry for not updating you sooner, I just came across this thread.

I’m also sorry for how we handled the communication and addressing of the the issue as you described, you deserve better than that as a loyal customer. This was a tricky one for us to track down, but that’s no excuse for how we handled it. Sorry about that!

Thanks,
vidmate kissanime

Still the same error.
Maybe ssl certificate still needs to be replaced

So either I stop using SSL or stop using cloudflare?
How do I keep using cloudflare and keep ssl?

1 Like

@Tomer_Raz - likely if you turn off Cloudflare’s “orange cloud” (everything but DNS) and then go back to the Webflow hosting page and click “Check Status” on the domain, let’s encrypt will probably do it’s thing and your site should be back up hopefully within a few minutes.

For some deeper insight, the way that it works is that let’s encrypt has an automated system that runs on Webflow’s servers and makes a specific url available that allows their external system to validate their certs. With Cloudflare running, let’s encrypt certs are hidden and can’t update because Cloudflare replaces the certs. Let’s encrypt certs are valid for 3 months and automatically renew through this same process - so to use both, you need to turn off the orange cloud and validate that the expiration updated at least once every three months. For a longer term fix webflow needs to use let’s encrypt http validation, or they need to allow custom certs.

1 Like

Thanks, it works :slight_smile:
Turn off cloudflare orange cloud → webflow hosting check status → turn on cloudflare orange cloud

1 Like

Keep in mind, in 90 days when the certificate we provision expires, your site will break again. If you want to use cloudflare with the orange cloud on (meaning the traffic is routed through cloudflare, not just DNS) then you should make sure to point your site to proxy.webflow.com to avoid the certificate issues.

2 Likes

Understood.
But if I change to proxy.webflow.com, the site doesn’t work using https anymore correct?

1 Like

If you are routing your traffic through cloudflare, they are serving their own SSL certificate. You can see that currently it is a cloudflare issued SSL cert on the domain:

1 Like

Long story short, custom SSL certificates are long overdue product request going back to this forum from 2015. Especially with eComm launching out of beta this should be one of the highest priorities for product roadmap.

I can hear the resounding applause once this launches from clients and designers everywhere!

Any resolution on this yet

I tried the workaround of “Turn off cloudflare orange cloud → webflow hosting check status → turn on cloudflare orange cloud” (mentioned by @Tomer_Raz) yesterday and it worked and I was expecting it to do again in 3 months time, but somehow it happened again today

Has something changed on webflow front where ssl certs expiration time has been reduced to one day instead of three months @nathan

Hello- we are running CloudFlare in front of our production marketing website, and had this same error, where it appears that WebFlow’s SSL certs expire after 90 days, and are not automatically renewed via LetsEncrypt.

From what I have been able to read, the current options are:

  • Have Cloudflare handle all SSL to the client, and then just HTTP to Webflow by using proxy.webflow.com vs. proxy-ssl.webflow.com as recommended above (Note: this is not acceptable for us from a security perspective)
  • When we see an outage, disable CloudFlare SSL proxying temporarily, which triggers a script on the WebFlow end to renew the SSL certificates with LetsEncrypt. (This still incurs periodic outages)
  • Disable CloudFlare (not preferred, as CloudFlare has a lot of benefits in addition to WebFlow)

I also can see on the forum that allowing clients to upload our own certificates to Webflow has been a backlog item since at least 2018. This would solve our problem, as we could manage SSL certs through CloudFlare. What is the status for this item?

Any other recommended fixes that provide end-to-end SSL encryption for clients would be appreciated!

Hi I’d also really like an update from Webflow on this. It’s a pretty crippling issue!
We’ll drop Webflow before we’ll drop Cloudflare, so it would be great to at least know that someone is working on a solution to this.

We are having this issue once again and it happens every 3 months exactly around the same date range. Is there any concrete fix by webflow for this? Cannot accept this from an enterprise level company.

@Saravanan_Thangaraj - Curious if you are using Cloudflare with the DNS proxied?

Yes, we are using Cloudflare + Webflow and DNS Proxied. just like the others mentioned on this thread. as a temporary fix, we were able to disable the SSL proxy and keep it to DNS Only and it solved the problem but from the security standpoint, it is not recommended. @webdev

You can avoid this by using an enterprise hosting plan which allows you to use your own custom SSL certificate. Of course there is an expense to that and the Cert. See → https://webflow.com/enterprise

Hi @Saravanan_Thangaraj, Webflow has it’s own secure proxy and if you are using the DNS Only option it means that you will use Webflow SSL and Webflow SSL proxy server.

Please read more about security in Webflow here: https://webflow.com/security

As @webdev mentioned, if you wish to use your own SSL cert for your site that is an option on the Enterprise plans.

Hi,
We did observe the issue again on 04th September 2022.
Disabling the proxy and enabling the proxy has fixed the issue temporarily and yes we expect the issue again on 03rd or 04th December 2022.
We are using Cloudfare + Workflow and Proxied over Cloudfare.
We are using proxy-ssl.webflow.com as target in cloudfare.
Now what would be the probable solution:

a) Disable and Enable proxying so that let us encrypt will take of updating the certs and this could lead to downtime → Recommended? No, as per my opinion.
b) Uploading custom certificates to web flow? → This might lead to additional expenses as this is supported only with Enterprise plan.
c) Any solution from webflow? Do we need to sustain with this issue or should we forcefully get Enterprise plan?