Skip to content
← All articles

Cloudflare 525 SSL Handshake Failed Fix

Short answer. Error 525 means the TLS handshake between Cloudflare and your origin server failed. Cloudflare established a TCP connection but could not negotiate encryption. The main causes: the origin has no valid certificate on port 443, the Cloudflare SSL mode is Full (Strict) while the origin cert is self-signed or expired, or there is a cipher-suite mismatch. Start by checking the origin certificate with openssl.

What 525 means and where it breaks

525 is a TLS-handshake failure, not TCP. The chain is: browser ↔ Cloudflare (external TLS) and Cloudflare ↔ origin (internal TLS). Error 525 is about the second half. Cloudflare tried to establish SSL/TLS проверку with your server and could not finish the handshake.

525 is the internal TLS between Cloudflare and the origin. The visitor sees a green padlock to Cloudflare, but behind the scenes Cloudflare cannot connect securely to your server.

Main causes of 525

CauseFix
No certificate on the origin's port 443Install a valid cert (Let's Encrypt or Cloudflare Origin CA)
Full (Strict) mode + self-signed/expired certInstall a trusted cert or temporarily switch to Full (not Strict)
Cipher-suite / TLS-version mismatchEnable TLS 1.2/1.3 and modern ciphers on the origin
Origin not listening on 443Configure nginx/Apache for HTTPS
SNI misconfiguredCheck server_name and the certificate for the right host

Step 1. Check the origin certificate directly

Connect to the real origin IP and inspect the TLS handshake:

# origin = 203.0.113.10, domain example.com
openssl s_client -connect 203.0.113.10:443 -servername example.com

# Look for:
#   Verify return code: 0 (ok)            — cert is valid
#   Verify return code: 18 (self signed)  — self-signed
#   "no peer certificate available"       — origin serves no cert

# Certificate validity dates:
echo | openssl s_client -connect 203.0.113.10:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

# Check chain and host match:
curl -Iv --resolve example.com:443:203.0.113.10 https://example.com

If openssl shows "self signed" or "expired" while Cloudflare is in Full (Strict) mode, that is your 525.

Step 2. Check the Cloudflare SSL mode

  • Flexible — Cloudflare ↔ origin over HTTP (does not cause 525, but insecure).
  • Full — HTTPS to the origin, cert not strictly validated (accepts self-signed).
  • Full (Strict) — HTTPS + strict cert validation (requires a trusted cert).
If the origin has a self-signed cert, Full (Strict) will produce 525. Either install a trusted certificate or temporarily switch to Full — but Strict is safer, so the right fix is a valid cert.

Step 3. Install Cloudflare Origin CA

The cleanest path is a free Cloudflare Origin CA certificate for the Cloudflare↔origin link:

  1. In the Cloudflare panel: SSL/TLS → Origin Server → Create Certificate.
  2. Install the issued cert and key on nginx/Apache.
  3. Set the mode to Full (Strict).
  4. Restart the web server and verify with openssl.

Step 4. Check TLS versions and ciphers

If the origin only supports legacy TLS 1.0/1.1, the handshake may fail. Enable TLS 1.2 and 1.3:

# nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

How enterno.io helps

The enterno.io SSL inspector shows the certificate chain, expiry, protocol, and ciphers of the origin, which immediately reveals the expired or mismatched cert behind a 525. SSL monitoring with a warning threshold at 14 days and a critical threshold at 3 days before expiry alerts you before the certificate goes stale. The HTTP checker confirms whether the origin is reachable independently of Cloudflare. Alerts: Telegram, Slack, email, webhook. enterno.io diagnoses and warns — the certificate and Cloudflare mode are configured by the owner.

FAQ

How is 525 different from 526?

526 (Invalid SSL Certificate) means the origin cert is invalid under Strict validation. 525 means the handshake never completed. The causes often overlap: an expired cert under Full (Strict).

Why does the visitor see a padlock but the site won't load?

The padlock is the browser↔Cloudflare TLS. 525 is a Cloudflare↔origin failure, hidden from the visitor.

Can I clear 525 quickly?

Temporarily — switch the SSL mode to Full (not Strict). Properly — install a valid certificate on the origin and return to Full (Strict).

Is Cloudflare Origin CA a substitute for Let's Encrypt?

Yes, for Cloudflare↔origin traffic it is ideal and free. But it is only trusted inside Cloudflare — direct access to the origin needs a public cert.

Next step: Inspect the certificate with the SSL inspector. See also SSL certificate monitoring and set up SSL monitoring.

Check your website right now

Check your site's SSL →
More articles: SSL/TLS
SSL/TLS
Post-Quantum TLS: What Changes in 2026
15.06.2026 · 37 views
SSL/TLS
TLS 1.3: What Changed and Why It Matters
16.03.2026 · 141 views
SSL/TLS
SSL/TLS Certificates: How HTTPS Works
10.03.2025 · 126 views
SSL/TLS
Russian SSL Certificates and CAs Explained
15.06.2026 · 36 views