Error 525 means Cloudflare attempted an SSL/TLS handshake with the origin server and it failed. This only happens when the Cloudflare SSL mode is set to Full or Full (Strict), meaning Cloudflare tries to connect to the origin over HTTPS (port 443). The origin either does not have a valid SSL certificate installed, is using an incompatible TLS version or cipher suite, or the SSL configuration is broken. The TCP connection succeeds but the TLS layer fails.
The origin server does not have any SSL certificate configured on port 443, but Cloudflare's SSL mode requires HTTPS. Either install a certificate or change SSL mode to Flexible.
The origin's SSL certificate has expired, the certificate chain is incomplete (missing intermediate certificates), or the certificate does not match the domain.
The origin only supports outdated TLS versions (TLS 1.0/1.1) or cipher suites that Cloudflare does not support, preventing the handshake from completing.
The origin server does not support SNI or is serving the wrong certificate for the requested hostname when multiple domains share the same IP.
Connect directly to the origin to verify the SSL certificate is valid, not expired, and has a complete chain.
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject
Ensure port 443 is open and accepting TLS connections on the origin.
Scan PortsCloudflare offers free Origin CA certificates specifically for securing the connection between Cloudflare and your origin. Generate one in the Cloudflare dashboard under SSL/TLS > Origin Server.
Ensure the origin supports at least TLS 1.2. Cloudflare no longer connects using TLS 1.0 or 1.1.
openssl s_client -connect YOUR_ORIGIN_IP:443 -tls1_2 -servername yourdomain.com
As a temporary fix, switch Cloudflare SSL mode to Flexible (Cloudflare connects to origin over HTTP). This is not recommended for production but can confirm the issue is SSL-specific.