🐛 BUG: Error: Origin SSL Handshake Error (525) when making requests to deepl API

[Zombobot1]

Which Cloudflare product(s) does this pertain to?

Workers/Other

What version of Wrangler are you using?

3.1.0

What operating system are you using?

Mac

Describe the Bug

It is impossible to query deepl API from workers.

The bug was first mentioned in August 2021 on the forum. It was stated that "this is typically caused by a configuration issue in the origin web server". I opened a corresponding issue in their repo and they concluded that "the problem lies with cloudflare workers". Can you take a look at this problem? Other services might be unreachable as well.

Deepl is a very popular product and it is sad that it can be used with workers.

Code to reproduce

const deepLUrl = 'https://api-free.deepl.com/v2/translate'
const text = 'I like my cat'
const to = 'de'
const from = 'en'

const resp = await fetch(deepLUrl, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    Authorization: `DeepL-Auth-Key ${env.DEEPL}`,
  },
  body: `text=${encodeURIComponent(text)}&target_lang=${to.toUpperCase()}&source_lang=${from.toUpperCase()}`,
})
if (!resp.ok) throw new Error(`DeepL error (${resp.status}) ` + resp.statusText) // throws in workers
const response = await resp.json()
response.translations[0].text // works in node

[penalosa]

I'm going to transfer this to the workerd repo, since they're probably better placed to solve the underlying issue. I was able to reproduce it with:

export default {
	async fetch(request, env, ctx) {
		return await fetch("https://api-free.deepl.com/v2/translate");
	},
};

which returns a 525 when deployed, but a 403 (correctly) when running locally

[kentonv]

@Zombobot1 Can you please make sure your zone's SSL mode is "Full" and not "Flexible"? Let me know if that solves the problem.

[Zombobot1]

I asked the deepl team about this and they cannot find this setting. Could you please explain this in more detail?

[kentonv]

This is not a problem with deepl, it's an issue with your Cloudflare account where you're hosting your Worker. I believe you may have your SSL mode set to "Flexible" and you're running into a bug with that.

On https://dash.cloudflare.com, log in and open your zone (domain), and then look for this in the sidebar:

On that page, the setting looks like this:

Please make sure it's set to one of Full, Full (strict), or Strict.

Let me know if that helps.

[Zombobot1]

Probably I'm missing something. I have my worker on ub-ai.unni.workers.dev. Why should I change the encryption mode on my website?

---

I added a custom domain to my worker:

For this domain (theunni.com) I selected full ssl mode

I still get 525 error when I'm requesting deepl from my worker on api.theunni.com

Have I missed something?

[kentonv]

Oh, right... if this is on workers.dev, then SSL mode shouldn't be an issue. Darn, I guess that's not it then.

Somehow it seems like deepl's SSL server configuration and the way Cloudflare behaves as an SSL client are not compatible with each other. I'm afraid this is outside my area of knowledge since SSL termination occurs outside of the Workers system, but I'll see if I can ping someone...

[tomardern]

hey @kentonv - we're getting the same error when trying to connect to DeepL API.

We're running on cloudflare workers - on the workers.dev domain (and therefore do not have a zone setup).

Any ideas?

[kentonv]

@irvinebroque Any updates on this?

[Omarov3000]

We had to move our project to AWS because of this problem 😞.

[irvinebroque]

Hey @Omarov3000 and @tomardern — digging into this internally, thanks for flagging.

[tomardern]

Amazing, thank you @irvinebroque :) Very much appreciated.

[Acterion]

We're very keen on adopting Cloudflare for our organization, but the occurrence of this issue is a significant roadblock. Some of our engineers believe this problem violates our enterprise tech adoption policy, especially since it's been noted for other APIs as well. We would greatly appreciate any updates on the progress of this issue resolution.

[tomardern]

hi @irvinebroque - hope you had a good weekend. It's been three weeks since the last update. Has any further progress been made?

[gas9000]

We also had to move back to AWS at my company because of this issue 🙁. I hope to get some updates on the progress of this issue resolution too.

[tomardern]

Sorry to be "that guy - but is there any update here @irvinebroque?

[irvinebroque]

Relevant teams have identified the issue, and expect to address towards the end of this year (2023).

Since this issue is not about the open-source Workers Runtime, closing this issue. If you have further questions, please contact Cloudflare support.

[tomardern]

👍 Thanks for the update @irvinebroque.

Based on the 525 handshake error, we've moved away from DeepL and instead found that the new Cloudflare Workers AI Translation model is good enough for our needs: https://developers.cloudflare.com/workers-ai/models/translation/ It's not perfect, doesn't allow "excluded terms" or anything fancy, but it may be a good stop-gap until this issue is fixed.

[CNSeniorious000]

Based on the 525 handshake error, we've moved away from DeepL and instead found that the new Cloudflare Workers AI Translation model is good enough for our needs: https://developers.cloudflare.com/workers-ai/models/translation/ It's not perfect, doesn't allow "excluded terms" or anything fancy, but it may be a good stop-gap until this issue is fixed.

Hey @tomardern - I encountered exactly the same problem as yours. Cloudflare hosted AI translators is not perfect for me so I migrated to DeepL. But when I call DeepL's API on Vercel Edge Runtime, I meet the same strange 525 error.

How I solve this is simply to start a proxy service for it. It is easy to start a proxy service on Netlify, just using a netlify.toml like this:

[[redirects]]
  from = "/*"
  to = "https://api-free.deepl.com/:splat"
  status = 200

Then runs in the same directory:

netlify deploy -d . -p

This works well for me.

[kiwiflydream]

Relevant teams have identified the issue, and expect to address towards the end of this year (2023).

Since this issue is not about the open-source Workers Runtime, closing this issue. If you have further questions, please contact Cloudflare support.

This issue still exists as of the current date (2024-01-05)

[tbrockman]

And adding another comment as someone who encountered this, was looking to use Cloudflare Workers, and will now be investigating alternatives instead.

[Boscop]

I just ran into this issue as well, when calling DeepL API from my worker.
Can you please reopen this issue?

I'm wondering why this is apparently so hard to fix..
Did anyone find a workaround? :)

[Boscop]

@tomardern Hey, do you know where I can find the list of languages supported by workers-ai?
This page just says "languages: english, chinese, french, spanish, arabic, russian, german, japanese, portuguese, hindi" but it links to this page which says "In this work, we create a true Many-to-Many multilingual translation model that can translate directly between any pair of 100 languages." but it doesn't say which languages it supports!
So I'm wondering, what's the full list of supported languages of workers-ai (@cf/meta/m2m100-1.2b)?

[lolandkidtress]

This issue still exists 2024-07-19

[J-Giggles]

This issue still exists 2024-08-02. Looks like I will be deploying the API on another service

[J-Giggles]

For anyone who needs help understanding the Netlify workaround. This works:)

Steps to Set Up a Proxy Service on Netlify

1. Create a Project Directory in your current project or else ware:

mkdir my-netlify-proxy
cd my-netlify-proxy

2. Create a netlify.toml file inside your new directory.

3. Configure Netlify with netlify.toml:

[[redirects]]
  from = "/*"
  to = "https://api-free.deepl.com/:splat"
  status = 200

Optional: If you don't have Netlify installed

npm install netlify-cli -g

4. Deploy to Netlify: Run the following command in the terminal from the project directory to deploy it to Netlify.

netlify deploy -d . -p

Now you can just switch out the current https://api-free.deepl.com/ URL in your workers app to send to the URL of the Netlify proxy you have just hosted:)

Give me a smiley if this helped you:)

[sayhicoelho]

Facing the same issue here 😥

Can't use DeepL API with CF Workers.

[EvilIrving]

This issue still exists 2024-10-10

[MurmeltierS]

still a issue (wtf)

[OultimoCoder]

@irvinebroque Any update on this issue?

[super-morris]

@cloudflare come on.... 1 1/2 years?

[stan-devproject]

Same issue :( Big thanks to @J-Giggles and @CNSeniorious000 for netlify proxy hack, worked for me. But Cloudflare definitely should fix that!

[OultimoCoder]

yeah but fuck relying on an external proxy, cmon Cloudflare

[alexanderniebuhr]

@irvinebroque Hope you are doing well? I'm currently working with a client, migrating their whole backend to workers, even using the new workflows.. However this issue starts to block the migration, they do have an enterprise plan.. Can we get this issue fixed internally at CF, please? Or can you share any workarounds using CF platform, e.g. page rules, etc.?