What's Actually Happening
Cloudflare cannot establish SSL connection to origin server. Users see 525 SSL Handshake Failed or 526 Invalid SSL Certificate errors.
The Error You'll See
525 SSL Handshake Failed:
Error 525: SSL handshake failed
Cloudflare could not complete the SSL handshake with your origin server.526 Invalid SSL Certificate:
Error 526: Invalid SSL certificate
Cloudflare could not validate the SSL certificate on your origin server.Why This Happens
- 1.No SSL on origin - Origin server has no SSL certificate
- 2.Self-signed cert - Origin uses self-signed certificate
- 3.Expired certificate - Origin SSL certificate expired
- 4.Wrong SSL mode - Cloudflare SSL mode mismatch
- 5.Port mismatch - Cloudflare connecting to wrong port
- 6.Cipher mismatch - Incompatible cipher suites
- 7.SNI missing - Server requires SNI but not sent
Step 1: Check Cloudflare SSL Mode
```bash # Check SSL mode in Cloudflare dashboard: # SSL/TLS -> Overview
# SSL modes: # Off (not secure) - HTTP only # Flexible - HTTPS to Cloudflare, HTTP to origin # Full - HTTPS to both, but does not verify cert # Full (strict) - HTTPS to both, validates cert
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/ssl" \ -H "Authorization: Bearer API_TOKEN" | jq ```
Step 2: Test Origin Server SSL
```bash openssl s_client -connect origin-server:443 -servername yourdomain.com
openssl s_client -connect origin-server:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text
curl -vI https://origin-server/
openssl s_client -connect origin-server:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
openssl s_client -connect origin-server:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer ```
Step 3: Check Origin Server Configuration
```bash cat /etc/nginx/nginx.conf | grep -A 20 "listen 443"
cat /etc/apache2/sites-available/default-ssl.conf
ls -la /etc/nginx/ssl/ ls -la /etc/ssl/certs/
openssl x509 -noout -modulus -in cert.pem | openssl md5 openssl rsa -noout -modulus -in key.pem | openssl md5
nginx -t apachectl configtest
systemctl restart nginx systemctl restart apache2 ```
Step 4: Install Origin CA Certificate
```bash curl -X POST "https://api.cloudflare.com/client/v4/certificates" \ -H "Authorization: Bearer API_TOKEN" \ -H "Content-Type: application/json" \ --data '{"hostnames":["yourdomain.com"],"requested_validity":5475}'
# Configure Nginx: server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /etc/ssl/certs/origin.pem; ssl_certificate_key /etc/ssl/private/origin.key; }
# Configure Apache: <VirtualHost *:443> ServerName yourdomain.com SSLEngine on SSLCertificateFile /etc/ssl/certs/origin.pem SSLCertificateKeyFile /etc/ssl/private/origin.key </VirtualHost> ```
Step 5: Check Cipher Suite Compatibility
```bash openssl s_client -connect origin-server:443 -cipher DEFAULT
nmap --script ssl-enum-ciphers -p 443 origin-server
# Nginx cipher config: ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ```
Step 6: Check TLS Version
```bash openssl s_client -connect origin-server:443 -tls1_2
openssl s_client -connect origin-server:443 -tls1_3
nmap --script ssl-enum-ciphers -p 443 origin-server
# Nginx config: ssl_protocols TLSv1.2 TLSv1.3;
# Apache config: SSLProtocol -all +TLSv1.2 +TLSv1.3 ```
Step 7: Check SNI Configuration
```bash openssl s_client -connect origin-server:443 -servername yourdomain.com
openssl s_client -connect origin-server:443
openssl s_client -connect origin-server:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text ```
Step 8: Check Port Configuration
```bash # Cloudflare connects to origin on specific ports: # HTTP: 80, 8080, 2052, 2082, 2086, 2095 # HTTPS: 443, 2053, 2083, 2087, 2096, 8443
ss -tlnp | grep nginx
curl -vI https://origin-server:8443/ ```
Step 9: Check Firewall Rules
```bash curl https://www.cloudflare.com/ips-v4 curl https://www.cloudflare.com/ips-v6
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do iptables -I INPUT -s $ip -p tcp --dport 443 -j ACCEPT done
iptables -L INPUT -n -v | grep 443 ```
Step 10: Monitor SSL Status
```bash openssl s_client -connect origin-server:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
watch -n 60 openssl s_client -connect origin-server:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
curl -vI https://yourdomain.com/ ```
Cloudflare Origin SSL Checklist
| Check | Command | Expected |
|---|---|---|
| SSL mode | Cloudflare dashboard | Correct mode |
| Origin SSL | openssl s_client | Valid certificate |
| Certificate dates | openssl x509 -dates | Not expired |
| TLS version | nmap ssl-enum-ciphers | TLS 1.2+ |
| Cipher suites | nmap ssl-enum-ciphers | Compatible |
| Firewall | iptables -L | Cloudflare IPs allowed |
Verify the Fix
```bash openssl s_client -connect origin-server:443 -servername yourdomain.com
openssl s_client -connect origin-server:443 2>/dev/null | openssl x509 -noout -dates
curl -I https://yourdomain.com/
curl -vI https://yourdomain.com/ 2>&1 | grep -i ssl
for i in {1..10}; do curl -I https://yourdomain.com/; done ```
Related Issues
- [Fix Cloudflare 521 Web Server Down](/articles/fix-cloudflare-521-web-server-down)
- [Fix Cloudflare 522 Connection Timed Out](/articles/fix-cloudflare-522-connection-timed-out)