Resolving Error 525: SSL Handshake Failed (Cloudflare & HAProxy Certificate Conflict)
This guide provides a step-by-step process for diagnosing and resolving the Cloudflare Error 525 (SSL Handshake Failed). This specific scenario addresses certificate conflicts when using Cloudflare in "Full" SSL mode with an HAProxy backend, particularly when dealing with deep subdomains (e.g., test.api.example.com).
Understanding the Context and Root Cause
- The Scenario: Cloudflare is configured in "Full" SSL mode and routes traffic to an HAProxy server. The error occurs when accessing a deep subdomain like
test.api.example.com. - The Root Cause: Cloudflare expects a valid certificate on the origin server (HAProxy) that specifically covers
test.api.example.com. However, the server only has a standard Let's Encrypt wildcard certificate for*.example.com. Standard wildcard certificates only cover one subdomain level, meaning they do not cover deep subdomains. * The Failed Approach (What NOT to do): Generating a broad Cloudflare Origin CA certificate covering both*.example.comand*.api.example.comand placing it on the server alongside the Let's Encrypt certificate will cause a conflict. HAProxy loads certificates from a directory alphabetically. If the Let's Encrypt certificate is loaded first, HAProxy prioritizes it, failing the SNI (Server Name Indication) match for the deep subdomain, and the 525 error persists.
Step-by-Step Resolution Guide
Follow these steps to correctly configure your certificates and HAProxy settings.
Step 1: Clean Up Overlapping Certificates
To prevent HAProxy from prioritizing the wrong certificate due to alphabetical loading, remove any broad or conflicting certificates.
* Delete the broad Cloudflare Origin CA certificate (the one covering *.example.com AND *.api.example.com) from your HAProxy certificate directory (e.g., /etc/haproxy/certs/).
Step 2: Retain the Base Let's Encrypt Certificate
Keep your existing Let's Encrypt wildcard certificate on the HAProxy server.
* This certificate (*.example.com) will continue to seamlessly serve standard subdomains (e.g., grafana.example.com).
Step 3: Generate a "Narrow" Cloudflare Origin CA Certificate
Create a dedicated certificate exclusively for your deep subdomains.
1. Go to your Cloudflare Dashboard -> SSL/TLS -> Origin Server.
2. Create a new Origin CA Certificate.
3. In the hostnames field, enter ONLY the specific deep subdomain wildcard: *.api.example.com.
4. Save the generated certificate and private key to your HAProxy server's certificate directory (e.g., /etc/haproxy/certs/api.example.com.pem).
Note: By isolating the certificates, HAProxy's SNI mechanism can accurately match the incoming request to the correct certificate without ambiguity. It will serve the Let's Encrypt cert for standard subdomains and the dedicated Origin CA cert for the deep API subdomains.
Step 4: Update HAProxy Configuration for Stability (ALPN)
To ensure Cloudflare can efficiently negotiate modern protocols (like HTTP/2) with your origin server, update your HAProxy bind configuration to include the Application-Layer Protocol Negotiation (ALPN) flag.
- Open your HAProxy configuration file (usually
/etc/haproxy/haproxy.cfg). - Locate your frontend or listen block handling HTTPS traffic.
- Append
alpn h2,http/1.1to the bind line.
Example Configuration:
frontend https-in
# Bind to your port, point to the certs directory, and enable ALPN
bind 127.0.0.1:8443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
# Rest of your frontend configuration...
Step 5: Restart HAProxy and Validate
- Test your HAProxy configuration for syntax errors:
bash haproxy -c -f /etc/haproxy/haproxy.cfg - If the check passes, restart or reload the HAProxy service:
bash systemctl reload haproxy - Visit
test.api.example.comin your browser. The connection should now succeed, and the Error 525 should be resolved.