Fix Cloudflare SSL Mode Configuration Error

Introduction

Cloudflare's SSL/TLS mode determines how traffic flows between visitors, Cloudflare, and your origin server. Selecting the wrong mode creates a mismatch that results in handshake failures, redirect loops, or security warnings. The four modes (Flexible, Full, Full Strict, and Off) each serve different origin configurations, and understanding which one matches your setup is critical for avoiding SSL errors like 525 (SSL handshake failed) and 526 (invalid SSL certificate).

Symptoms

Error 525: SSL handshake failed between Cloudflare and origin
Error 526: Invalid SSL certificate (certificate not trusted)
Redirect loops where browser cycles endlessly between HTTP and HTTPS
Mixed content warnings or resources failing to load
Origin server certificate errors in browser when bypassing Cloudflare
Site works with Flexible mode but fails with Full or Full (Strict)

Common Causes

SSL mode set to "Full (Strict)" when origin uses self-signed certificate
SSL mode set to "Full" or "Flexible" when origin expects HTTPS only
Origin server redirecting HTTP to HTTPS while Cloudflare uses Flexible mode
Origin certificate expired or using wrong hostname
Missing intermediate certificates in origin SSL chain
Cloudflare origin certificate not installed on origin server
SNI not configured on origin server for multi-host SSL

Step-by-Step Fix

1.Determine your origin server's SSL configuration:

```bash # Test if origin accepts HTTPS curl -Ivk https://YOUR_ORIGIN_IP/ -H "Host: yourdomain.com"

# Check certificate details openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text

# Verify certificate chain openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com -showcerts ```

1.Identify whether your origin uses valid, self-signed, or no SSL:

```bash # Check certificate issuer openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer

# Common issuers: # - Let's Encrypt: valid, trusted # - DigiCert, Comodo, etc.: valid, trusted # - Cloudflare Origin CA: requires Full mode (not Strict) # - Self-signed: requires Full mode (not Strict) # - No certificate: requires Flexible mode ```

1.Check for origin server HTTPS redirects:

```bash # Test HTTP request to origin curl -Iv http://YOUR_ORIGIN_IP/ -H "Host: yourdomain.com"

# If you see 301/302 redirect to HTTPS, origin forces HTTPS # This requires Full or Full (Strict) mode ```

1.Match SSL mode to your origin configuration:

Origin Configuration	Required SSL Mode
No SSL (HTTP only)	Flexible
Self-signed certificate	Full
Cloudflare Origin CA certificate	Full
Valid trusted certificate	Full (Strict)

1.Update SSL mode in Cloudflare dashboard:

Navigate to: Cloudflare Dashboard > SSL/TLS > Overview

Click the appropriate mode for your origin
Changes take effect immediately

1.Fix origin SSL certificate issues:

```bash # For nginx, check SSL configuration nginx -T 2>/dev/null | grep -A5 "ssl_certificate"

# Ensure certificate and key paths are correct ssl_certificate /etc/ssl/certs/yourdomain.com.crt; ssl_certificate_key /etc/ssl/private/yourdomain.com.key;

# For Apache, check SSL configuration apachectl -S 2>&1 | grep -i ssl ```

1.Install Cloudflare Origin Certificate if using Full mode:

```bash # Download Origin CA certificate from Cloudflare dashboard # SSL/TLS > Origin Server > Create Certificate

# Install in nginx ssl_certificate /etc/ssl/cloudflare/origin.pem; ssl_certificate_key /etc/ssl/cloudflare/private_key.pem;

# For Apache SSLCertificateFile /etc/ssl/cloudflare/origin.pem SSLCertificateKeyFile /etc/ssl/cloudflare/private_key.pem ```

1.Fix redirect loops by configuring proper redirect order:

```nginx # In nginx, avoid double redirects # DON'T redirect HTTP to HTTPS if Cloudflare already sends HTTPS

# Check if origin redirects when receiving HTTPS from Cloudflare # Cloudflare sends HTTPS in Full/Strict modes # If origin also redirects HTTP->HTTPS, you get a loop with Flexible mode

# Solution: Use Full mode when origin redirects HTTP to HTTPS ```

1.Resolve 525 SSL handshake errors:

```bash # Check if origin supports TLS 1.2 or 1.3 openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com -tls1_2

# Update nginx SSL protocol ssl_protocols TLSv1.2 TLSv1.3;

# Update Apache SSL protocol SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 ```

1.Fix 526 invalid SSL certificate errors:

```bash # Verify certificate hostname matches openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -subject

# Subject should contain your domain # Subject: CN = yourdomain.com

# If mismatched, install correct certificate ```

Verification

After applying fixes:

1.curl -I https://yourdomain.com/ returns HTTP 200 without errors
2.No 525, 526, or redirect loop errors in Cloudflare analytics
3.Browser shows valid SSL certificate with proper chain
4.Mixed content warnings resolved
5.SSL mode matches origin configuration correctly

How to Fix Cloudflare SSL Mode Configuration Error

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Verification

Share this guide

More Cloudflare Troubleshooting Guides

Fix Cloudflare Zone Stuck in Pending Nameserver Update

Fix Cloudflare Proxied Service Failing on Unsupported Port

Fix Cloudflare HTTP/3 QUIC Protocol Not Working

Fix Cloudflare WebSocket Connection Failing Behind Proxy

Fix Cloudflare Waiting Room Still Blocking After Cutover

Fix Cloudflare Access Application Bound to Old Hostname