Haproxy error - SSL handshake failed Error code 525

Host error

image782×499 24.5 KB

I upgrade from 2.7.2 to 2.8 and it work for a couple days and Error code 525 shows up.
I uninstalled haproxy and acme. Did the setup again everything works for a day and stopped working again.
Certificates are for local use only. Here is some information :
openssl s_client -servername pfsense.homeservers.fyi -host 192.168.1.1 -port 443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = R10
verify return:1
depth=0 CN = *.homeservers.fyi
verify return:1

Certificate chain
0 s:CN = *.homeservers.fyi
i:C = US, O = Let’s Encrypt, CN = R10
1 s:C = US, O = Let’s Encrypt, CN = R10
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

Server certificate
-----BEGIN CERTIFICATE-----
…Showing certificate - removed by my …
-----END CERTIFICATE-----
subject=CN = *.homeservers.fyi
issuer=C = US, O = Let’s Encrypt, CN = R10

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3125 bytes and written 388 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

DONE

dig pfsense.homeservers.fyi

; <<>> DiG 9.16.50-Debian <<>> pfsense.homeservers.fyi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49062
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pfsense.homeservers.fyi. IN A

;; ANSWER SECTION:
pfsense.homeservers.fyi. 300 IN A 104.21.54.30
pfsense.homeservers.fyi. 300 IN A 172.67.223.24

;; Query time: 12 msec
;; SERVER: 1.1.1.3#53(1.1.1.3)
;; WHEN: Mon Jun 16 10:37:29 EDT 2025
;; MSG SIZE rcvd: 77

dig @192.168.1.1 pfsense.homeservers.fyi

; <<>> DiG 9.16.50-Debian <<>> @192.168.1.1 pfsense.homeservers.fyi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;pfsense.homeservers.fyi. IN A

;; ANSWER SECTION:
pfsense.homeservers.fyi. 3600 IN A 192.168.1.1

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Jun 16 10:39:43 EDT 2025
;; MSG SIZE rcvd: 61

If you are using cloudflare with your DNS records as a proxy then you need to make sure you have all the proper certificates. Otherwise remove the proxy from the DNS record on cloudflare and use a proper letsencrypt cert.

I figure it out. It was my fault, I set up haproxy from one computer and moved to another one later on to check status not realizing that the 2nd computer had a static ip and dns was setup for cloudflare and no locally. Thank you for your response.

Thanks for sharing the update! That kind of setup issue can sneak past unnoticed, especially when switching machines. Good to hear you figured it out. For anyone else reading along, this is a solid reminder to double-check local DNS settings when troubleshooting SSL or HAProxy issues.