Getting Cloudflare 521 Error After Upgrade to 3.5.0.beta8-dev

Hi everyone,

After updating my Discourse site to 3.5.0.beta8-dev, I’m suddenly getting a 521 “Web server is down” error when accessing the site through Cloudflare. This is unexpected since I had previously configured it according to this guide, and it had been working perfectly until now.

Then I tried changing the SSL/TLS encryption mode in Cloudflare from Full (Strict) to Flexible, and the site loaded again.

Does anyone know why this might be happening after the update?
Is there something new in 3.5.0.beta8-dev that could affect Cloudflare compatibility or HTTPS handling?

Any help or suggestions would be greatly appreciated!

Thanks in advance!

I am running 3.5.0.beta8-dev with Full (strict) SSl with Cloudflare and do not have any issues.

A couple of things to check:

• Check your Let’s Encrypt - Review your upgrade log and validate everything was rebuilt correctly.
• Check for any external firewall changes (DigitalOcean provides external firewalls)

The 521 and switching to Flexible indicates your server is not set up with HTTPS.

Thanks for the suggestions! @LotusJeff

I’ve checked my SSL setup, and I’m not using Let’s Encrypt, I generated an Origin Certificate from Cloudflare, and placed the key and cert here:

I did a full rebuild after checking. But I’m still getting a 521 error when Cloudflare is set to Full (Strict).

Here’s the template section from my app.yml for reference:

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
  ## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  # - "templates/web.letsencrypt.ssl.template.yml"
  - "templates/cloudflare.template.yml"

expose:
  - "80:80"   # http
  - "443:443" # https

Thanks again for taking the time to help!

Working from memory, cloudflare certs have a 90 day duration. This will require you to create new certs every 3 months. Do you remember how old your certs are?

The default setting is to use Let’s Encrypt. The system will auto renew your certs for you. One less thing to manage manually.

Cloudflare now privide Certificates that valid for up to 15 years, mine is still within the valid period.

image1995×286 28 KB

That said, just to be sure, I also tried generating a new certificate and replaced the existing one, but I still got the same problem.

If I want to switch back to the default setup using Let’s Encrypt,
is it enough to simply:

1. Uncomment this line in app.yml:

- "templates/web.letsencrypt.ssl.template.yml"

2. And set Cloudflare’s SSL mode to Full?

I have never made the transition from private certificates to Let’s Encrypt with Discourse, and with that said…

Within the app.yml, you will need to uncomment in two locations:

1. Template line for - "templates/web.letsencrypt.ssl.template.yml"
2. The Let’s Encrypt account email:

## If you added the Let's Encrypt template, uncomment below to get a free SSL certificate
  LETSENCRYPT_ACCOUNT_EMAIL: <add your email address here>

If you made any other manual changes to templates for custom SSL certificates, they will need to be reverted to the standard settings.

The Let’s Encrypt component is located towards the end when you rebuild the app. Keep an eye out for it and see if you receive any error codes.