Cloudflare Error 525: What It Means and How to Fix It

What Cloudflare 525 actually means

Cloudflare operates as a TLS termination proxy: your visitors connect to Cloudflare over TLS, and Cloudflare opens a second TLS connection to your origin server. 525 fires when that second TLS connection cannot be established — the TCP connection succeeded (unlike 522) but the TLS handshake failed. This means either the origin isn't presenting a certificate, the certificate is expired, the TLS versions don't overlap, or the cipher suites are incompatible.

Most likely causes (ranked)

1. No SSL certificate installed on the origin (origin only serves HTTP, not HTTPS)
2. Origin SSL certificate is expired
3. Cloudflare SSL mode recently changed from Flexible to Full/Full (Strict)
4. Origin only supports TLS 1.0/1.1 — Cloudflare requires TLS 1.2 or higher
5. Incomplete certificate chain on the origin (missing intermediate certificates)

How to fix Cloudflare 525

Step 1: Verify SSL is active on the origin

Test from a command line:

openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com

If the connection fails or times out, the origin is not serving HTTPS — install an SSL certificate before proceeding.

Step 2: Temporary workaround — switch to Flexible SSL

In Cloudflare dashboard → SSL/TLS → Overview → set to Flexible. This tells Cloudflare to connect to the origin over plain HTTP. Use only temporarily while you install a proper origin certificate — Flexible mode leaves the Cloudflare-to-origin leg unencrypted.

Step 3: Renew or reinstall the origin certificate

If the certificate is expired, renew it. For Let's Encrypt:

certbot renew --force-renewal

Verify the certificate chain is complete — the origin must serve the leaf certificate plus all intermediates. Test with openssl s_client and look for "Verify return code: 0 (ok)".

Step 4: Ensure TLS 1.2+ is enabled on the origin

In Nginx, set:

ssl_protocols TLSv1.2 TLSv1.3;

In Apache (httpd.conf or ssl.conf):

SSLProtocol -all +TLSv1.2 +TLSv1.3

Reload the web server after changes.

Step 5: Install a Cloudflare Origin Certificate

Cloudflare dashboard → SSL/TLS → Origin Server → Create Certificate. This generates a free 15-year certificate trusted by Cloudflare. Install it on the origin, then set SSL mode to Full (Strict) for end-to-end encrypted connections.

Frequently Asked Questions

What is the difference between 525 and 526?

525: the TLS handshake failed entirely — no certificate, expired cert, or incompatible protocol. 526: the handshake succeeded but Cloudflare rejected the certificate because it's self-signed, expired, or hostname-mismatched (only in Full Strict mode). 525 means no handshake; 526 means a bad certificate was presented during a completed handshake.

Why does 525 appear after switching to Full (Strict) mode?

Full (Strict) requires a valid, trusted SSL certificate on the origin. If you were on Flexible (no origin SSL) or Full (self-signed allowed), switching to Full (Strict) will fail if the origin lacks a proper certificate. Install a Cloudflare Origin Certificate or Let's Encrypt certificate first.