Short answer. Error 525 means the TLS handshake between Cloudflare and your origin server failed. Cloudflare established a TCP connection but could not negotiate encryption. The main causes: the origin has no valid certificate on port 443, the Cloudflare SSL mode is Full (Strict) while the origin cert is self-signed or expired, or there is a cipher-suite mismatch. Start by checking the origin certificate with openssl.
What 525 means and where it breaks
525 is a TLS-handshake failure, not TCP. The chain is: browser ↔ Cloudflare (external TLS) and Cloudflare ↔ origin (internal TLS). Error 525 is about the second half. Cloudflare tried to establish SSL/TLS проверку with your server and could not finish the handshake.
525 is the internal TLS between Cloudflare and the origin. The visitor sees a green padlock to Cloudflare, but behind the scenes Cloudflare cannot connect securely to your server.
Main causes of 525
| Cause | Fix |
|---|---|
| No certificate on the origin's port 443 | Install a valid cert (Let's Encrypt or Cloudflare Origin CA) |
| Full (Strict) mode + self-signed/expired cert | Install a trusted cert or temporarily switch to Full (not Strict) |
| Cipher-suite / TLS-version mismatch | Enable TLS 1.2/1.3 and modern ciphers on the origin |
| Origin not listening on 443 | Configure nginx/Apache for HTTPS |
| SNI misconfigured | Check server_name and the certificate for the right host |
Step 1. Check the origin certificate directly
Connect to the real origin IP and inspect the TLS handshake:
# origin = 203.0.113.10, domain example.com
openssl s_client -connect 203.0.113.10:443 -servername example.com
# Look for:
# Verify return code: 0 (ok) — cert is valid
# Verify return code: 18 (self signed) — self-signed
# "no peer certificate available" — origin serves no cert
# Certificate validity dates:
echo | openssl s_client -connect 203.0.113.10:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
# Check chain and host match:
curl -Iv --resolve example.com:443:203.0.113.10 https://example.com
If openssl shows "self signed" or "expired" while Cloudflare is in Full (Strict) mode, that is your 525.
Step 2. Check the Cloudflare SSL mode
- Flexible — Cloudflare ↔ origin over HTTP (does not cause 525, but insecure).
- Full — HTTPS to the origin, cert not strictly validated (accepts self-signed).
- Full (Strict) — HTTPS + strict cert validation (requires a trusted cert).
If the origin has a self-signed cert, Full (Strict) will produce 525. Either install a trusted certificate or temporarily switch to Full — but Strict is safer, so the right fix is a valid cert.
Step 3. Install Cloudflare Origin CA
The cleanest path is a free Cloudflare Origin CA certificate for the Cloudflare↔origin link:
- In the Cloudflare panel: SSL/TLS → Origin Server → Create Certificate.
- Install the issued cert and key on nginx/Apache.
- Set the mode to Full (Strict).
- Restart the web server and verify with openssl.
Step 4. Check TLS versions and ciphers
If the origin only supports legacy TLS 1.0/1.1, the handshake may fail. Enable TLS 1.2 and 1.3:
# nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
How enterno.io helps
The enterno.io SSL inspector shows the certificate chain, expiry, protocol, and ciphers of the origin, which immediately reveals the expired or mismatched cert behind a 525. SSL monitoring with a warning threshold at 14 days and a critical threshold at 3 days before expiry alerts you before the certificate goes stale. The HTTP checker confirms whether the origin is reachable independently of Cloudflare. Alerts: Telegram, Slack, email, webhook. enterno.io diagnoses and warns — the certificate and Cloudflare mode are configured by the owner.
FAQ
How is 525 different from 526?
526 (Invalid SSL Certificate) means the origin cert is invalid under Strict validation. 525 means the handshake never completed. The causes often overlap: an expired cert under Full (Strict).
Why does the visitor see a padlock but the site won't load?
The padlock is the browser↔Cloudflare TLS. 525 is a Cloudflare↔origin failure, hidden from the visitor.
Can I clear 525 quickly?
Temporarily — switch the SSL mode to Full (not Strict). Properly — install a valid certificate on the origin and return to Full (Strict).
Is Cloudflare Origin CA a substitute for Let's Encrypt?
Yes, for Cloudflare↔origin traffic it is ideal and free. But it is only trusted inside Cloudflare — direct access to the origin needs a public cert.
Next step: Inspect the certificate with the SSL inspector. See also SSL certificate monitoring and set up SSL monitoring.