HTTP 525 · Cloudflare

Cloudflare Error 525: SSL Handshake Failed

A 525 means the TLS handshake between Cloudflare and your origin server couldn't complete. Cloudflare tried to open an encrypted connection to your origin and the negotiation failed before any data moved. It only happens when your SSL/TLS mode is Full or Full (Strict).

Quick answer

Your origin has no valid SSL certificate, isn't listening on port 443, a firewall is blocking 443, or the cipher suites and TLS versions don't match what Cloudflare offers. The most reliable fix is to install a free Cloudflare Origin CA certificate on your server and ensure it listens on 443.

Whose fault is it

Your origin
yes
Cloudflare config
sometimes
The visitor
no

The handshake failure is between Cloudflare and your origin, on the second leg of the connection. Your browser reaching Cloudflare is fine; that's why you can see the error page at all. The problem is your origin's TLS setup, and occasionally a mismatch between that setup and your Cloudflare SSL mode.

The two connections, and where 525 lives

Every Cloudflare request has two encrypted legs. The first is browser to Cloudflare's edge. The second is Cloudflare's edge to your origin server. Your SSL/TLS mode in the Cloudflare dashboard controls how that second leg works:

A 525 specifically means the handshake never finished. If it had finished and the certificate was merely untrusted, you'd see a 526 instead.

The common causes, most likely first

  1. No SSL certificate installed on the origin You set Cloudflare to Full or Full (Strict), but your origin server has no certificate, or has one that isn't actually wired into the web server config. Common in cPanel setups where AutoSSL hasn't run yet, and on fresh VPS boxes where the Nginx or Apache HTTPS virtual host was never configured.
  2. The server isn't listening on port 443 The certificate exists but the web server isn't configured to serve HTTPS on 443, or a firewall is blocking inbound 443 from Cloudflare. Cloudflare has nothing to handshake with. Confirm the server listens on 443 and the firewall allows Cloudflare's ranges there.
  3. A cipher suite or TLS version mismatch Cloudflare and your origin share no common cipher, or your origin only offers TLS versions Cloudflare no longer uses. Old servers stuck on deprecated ciphers (or only TLS 1.0/1.1) fail here. Ensure the origin supports TLS 1.2 or higher with modern ciphers.
  4. Missing SNI support Cloudflare sends an SNI extension during the handshake to indicate which certificate it wants. An origin on shared hosting without SNI support can't present the right certificate, and the handshake fails.
  5. A firewall interfering with the TLS negotiation A firewall or middlebox that allows the connection but interferes with the handshake packets can reset the connection mid-negotiation. Check that Cloudflare's IP ranges have clean, unfiltered access on 443.

How to diagnose it

  1. Test the handshake directly, bypassing Cloudflare. From an external host: openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com. If this fails without Cloudflare in the path, the origin's TLS config is the problem, full stop.
  2. Confirm a certificate is installed and the server is listening on 443: ss -tlnp | grep ':443'.
  3. Check supported TLS versions and ciphers. The Qualys SSL Labs test (ssllabs.com/ssltest) audits exactly what your origin offers and flags weak or missing ciphers.
  4. Review the origin's error logs at the timestamps of the 525s. Apache logs TLS errors in the SSL error log; Nginx puts them in the standard error log (raise the level to info for handshake detail).

The most reliable fix

Install a Cloudflare Origin CA certificate. It's free, issued from the Cloudflare dashboard under SSL/TLS, Origin Server, Create Certificate, and it's guaranteed compatible with Full (Strict) mode because Cloudflare trusts it by definition. Copy the certificate and key to your origin, point your web server config at them, restart, and the handshake leg is solved without depending on a public CA or AutoSSL. This is the same approach we use on failover.io's own infrastructure.

A 525 takes your whole site down over an expired or missing cert

SSL problems are silent until they're total. A certificate that lapses or a config that breaks on restart fails every request at once. failover.io monitors SSL certificate expiry and the live handshake, warning you well before a cert lapses and escalating from email to SMS to a phone call if the handshake starts failing. Free plan: 5 monitors, no card.

Start monitoring free

Other Cloudflare 5xx errors