How to fix HTTP 525 SSL Handshake Failed?

Renew the origin SSL certificate: Replaces the expired certificate with a valid one that Cloudflare can verify.

How to fix HTTP 525 SSL Handshake Failed?

Switch Cloudflare SSL mode to 'Full' (not Strict) temporarily: Relaxes certificate validation, confirming whether the cert is the issue.

525

HTTPERRORNotable5xx Server Error (Cloudflare)HIGH confidence

SSL Handshake Failed

Production Risk

High — all HTTPS traffic is broken. Renew the certificate or fix the TLS configuration immediately.

What this means

525 SSL Handshake Failed is a Cloudflare-specific error indicating that Cloudflare could not complete a TLS handshake with the origin server. Cloudflare and the origin support different TLS versions or cipher suites, or the origin's SSL configuration is broken.

Why it happens

1The origin server's SSL certificate has expired.
2The origin server does not support any TLS version that Cloudflare accepts (TLS 1.2 or 1.3).
3The origin's cipher suites do not overlap with Cloudflare's supported ciphers.
4The origin SSL/TLS configuration is corrupted or misconfigured.
5Cloudflare SSL mode is set to 'Full' or 'Full (Strict)' but the origin cannot complete TLS.

How to reproduce

The origin web server has an expired SSL certificate and Cloudflare cannot complete the TLS handshake.

trigger — this will error

# Cloudflare → origin TLS handshake
# Certificate expired / no common cipher / TLS version mismatch

expected output

HTTP/1.1 525 SSL Handshake Failed

Fix 1

Renew the origin SSL certificate

WHEN The origin certificate is expired.

Renew the origin SSL certificate

# Let's Encrypt / Certbot
certbot renew
systemctl reload nginx

Why this works

Replaces the expired certificate with a valid one that Cloudflare can verify.

Fix 2

Switch Cloudflare SSL mode to 'Full' (not Strict) temporarily

WHEN Troubleshooting — to confirm the issue is the certificate.

Switch Cloudflare SSL mode to 'Full' (not Strict) temporarily

# Cloudflare dashboard → SSL/TLS → Overview → set to 'Full'
# (not 'Full (Strict)' — allows self-signed or expired certs temporarily)

Why this works

Relaxes certificate validation, confirming whether the cert is the issue.

What not to do

✕ Do not use Cloudflare SSL mode 'Flexible' as a permanent fix

Flexible mode means traffic between Cloudflare and origin is unencrypted — this defeats HTTPS.

Version notes

Cloudflare

Cloudflare supports TLS 1.2 and 1.3. Origins must support at least TLS 1.2.

Sources

Official documentation ↗

Cloudflare 5xx error documentation

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#525 ↗

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformHTTP Status Codes

Code525

Class5xx Server Error (Cloudflare)

SeverityERROR

TierNotable

ConfidenceHIGH

← All HTTP errors