Domainee
Sign inGet started

HTTP 525 error

Cloudflare-specific error: TLS handshake between Cloudflare and your origin server failed. Almost always a certificate or SNI problem at the origin.

HTTP 525: SSL Handshake Failed is one of Cloudflare's custom 5xx codes. It means Cloudflare accepted the user's request, tried to forward it to your origin over HTTPS, and the TLS handshake with your origin failed.

It's not a standard HTTP status code. It's a Cloudflare convention. You'll see it on any host that proxies through Cloudflare with "Full" or "Full (strict)" SSL mode enabled.

What it really means

Cloudflare is acting as a client to your origin server's TLS endpoint. When Cloudflare can't complete the handshake, it can't fetch anything, so it returns 525 to the end user.

The five things to check

  1. Origin cert is valid and not expired. From a machine that's not on Cloudflare, run curl -vI https://origin.example.com. If your local box fails, Cloudflare will fail.
  2. Origin cert covers the hostname Cloudflare is connecting to. Cloudflare sends the user-facing hostname as SNI by default. If your origin cert covers only origin-direct.example.com but Cloudflare is asking for www.example.com, the handshake fails.
  3. Origin allows the TLS version Cloudflare requests. Cloudflare uses TLS 1.2 or 1.3. If your origin is locked to TLS 1.0 (you'd have to try) or has a very narrow cipher list that doesn't intersect Cloudflare's, the handshake fails.
  4. Origin isn't behind another reverse proxy that's terminating TLS with a self-signed cert. "Full (strict)" rejects untrusted origin certs.
  5. Origin server isn't overloaded. Sometimes a 525 just means the origin TLS handler timed out, not that the cert is bad.

Fast triage flowchart

525 happening?
  └─ Run curl to origin → does it work?
       ├─ No  → fix origin cert/protocol
       └─ Yes → check SNI: curl --resolve origin.example.com:443:<IP> https://origin.example.com
                 ├─ No → cert doesn't cover the hostname Cloudflare requests
                 └─ Yes → switch Cloudflare to "Full" (non-strict) to confirm cert-trust issue

525 vs 526

525 = handshake failed. 526 = handshake succeeded but Cloudflare can't validate the origin cert (expired, self-signed, untrusted chain). Different bug, same family.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.