SSL 521 error: Cloudflare a-record pointing to DigitalOcean droplet

Posted August 24, 2020 1.2k views

I have read many posts about this issue but I am still having issue.

Client is using Cloudflare, Full SSL for their website.
I have a ubuntu digitalocean droplet with a web-app that needs SSL.
I have created the a-record WEBAPP in Cloudflare pointing to the IP of my digitalocean droplet. So, should answer at digitalocean with HTTPS. Note: http works fine.

I have confirmed firewall is accepted https and 443 is open.

I read documentation about adding a cert to the droplet but Let Encrypt says I need nameservers pointing to DigitalOcean.
**Is this a requirement? I would prefer to not have to move the nameservers since the only thing on digitalocean is this one app.

What I am missing here? Thanks!

1 comment
  • Background A 521 error happens when we are unable to make a TCP connection to your origin server. Specifically, Cloudflare tried to connect to your origin server on port 80 or 443, but received a connection refused error. For starters, your server is not configured for HTTPS.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers


Did you try to diagnose the problem with ? Can you give us a test result from there, please ?

  • The domain is being served through Cloudflare CDN. Any Let’s Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option ‘Full SSL (strict)’ be enabled.

  • I switched the FULL SSL (strict) but still does not work.

    What should I be doing on the Digital Ocean side?

    • Thank you for the result. Try the steps as below.

      1. In Cloudflare DNS settings turn off proxy for A record of the subdomain pointing your DO droplet. There is an orange cloud icon as a toggle, as it is on that picture:

      2. Obtain Let’s Encrypt certificate in your DO droplet.

      3. Turn the proxy on in Cloudflare DNS settings (and have Full SSL strict enabled)

      • For #2, what is the best way to do this? Certbot?

        I don’t have a FQDN so what should I use, the subdomain url?

        And to be clear, in #3 I am reversing what I did in #1, right? with that a-record?
        Thanks so much

        by Kathleen Juell
        by Erika Heidi
        Let's Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Ubuntu 18.04 and set up your certificate to renew automatically.
        • 2. Yes, certbot seems to bo the best way. Follow the tutorial from the link you provided. As you mentioned before, your website/app works fine through http, so the certbot should obtain certificate and configure Apache correctly for you.
          Actually, you have FQDN. From your example, it is; webapp is your hostname, and is your domain name. So, provide it as a value of parameter -d executing certbot, e.g.

          sudo certbot --apache -d

          3. Yes, exactly, you need to return to original configuration to get Cloudflare functionality. The point of turning proxy off first and turning it on at the end is to make your domain ‘visible’ as any other domain hold by common domain registrar. It is just for getting a certificate by certbot. I really wonder what result you will get on when you turn the proxy off.