Cloudflare sits between your visitors and your origin server. When it can't establish a secure connection to your origin, it returns an error page to visitors instead of your site.
Error 525 means the TLS handshake between Cloudflare and your origin failed completely. Error 526 means Cloudflare reached the origin but rejected the certificate it found. Both errors look identical to visitors. Here's how to tell them apart and fix each one.
Error 525: SSL Handshake Failed
Cloudflare is trying to open a TLS connection to your origin on port 443. The handshake is failing before any certificate is exchanged.
Common causes:
- ✓Cloudflare's SSL/TLS mode is set to "Full" or "Full (Strict)" but SSL is not enabled on the origin server at all
- ✓A firewall rule on the origin is blocking Cloudflare's IP ranges on port 443
- ✓nginx or Apache has SSL misconfigured or isn't listening on 443
- ✓The origin only offers TLS 1.0 or 1.1, which Cloudflare refuses
How to diagnose. Test whether your origin responds to a direct TLS connection, bypassing Cloudflare:
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.comIf this fails to connect at all, the problem is at the server level — not the certificate. Check your web server SSL config, confirm port 443 is open, and verify your Cloudflare SSL/TLS encryption mode in the dashboard under SSL/TLS → Overview.
Error 526: Invalid SSL Certificate
Cloudflare reached your origin and completed a TLS connection, but rejected the certificate it found. It won't proxy an invalid cert to visitors.
What "invalid" means in Cloudflare's terms:
- ✓The certificate is expired
- ✓The certificate is self-signed and the SSL mode is "Full (Strict)"
- ✓The certificate hostname doesn't match the domain Cloudflare is connecting to
- ✓The certificate was issued by a CA Cloudflare doesn't trust
The most common cause by a significant margin is expiry. A certificate that was valid last week and expired this week produces a 526 with no other warning.
The SSL Mode Controls Which Errors You See
Cloudflare's SSL/TLS encryption mode determines how aggressively it validates your origin certificate:
- ✓Flexible — Cloudflare doesn't validate the origin cert at all. Certificate problems are hidden, but origin-to-Cloudflare traffic isn't actually encrypted.
- ✓Full — Requires a TLS connection to origin but doesn't validate the certificate. A self-signed or expired cert passes here.
- ✓Full (Strict) — Requires a valid, trusted, non-expired certificate from a recognised CA. This is the correct setting for production, and it's where 526 errors surface.
If you're seeing a 526, you're running Full (Strict) — correct — and the certificate at your origin has a problem. The SSL mode is not the thing to change.
Fixing an Expired Certificate
If the diagnosis points to expiry:
1. Force-renew immediately — certbot renew --force-renewal for Let's Encrypt, or reissue through your CA's dashboard
2. Reload the web server after renewal — systemctl reload nginx or equivalent
3. Confirm the new certificate is actually being served before assuming the fix worked
The last step matters. A certificate can renew successfully on disk while the server continues serving the old expired cert from memory if nothing triggered a reload. The SSL checker connects to your domain directly and reads the cert from the live TLS handshake — the same view Cloudflare has — so if the server didn't reload, you'll see the old expiry date rather than the new one.
Why Let's Encrypt Renewals Fail Silently
If the certificate expired despite auto-renewal being configured, something in the renewal chain broke quietly. The common failure modes are: the certbot systemd timer stopped running after a server migration; a firewall or config change blocked the ACME HTTP-01 challenge path; or the cert renewed but the server was never signalled to reload.
The Let's Encrypt auto-renewal failures post covers each of these in detail, including the renewed-but-not-reloaded case which is particularly hard to catch because the cert on disk looks valid.
Why This Keeps Happening
A 525 from a config problem is typically a one-time fix. A 526 from expiry tends to recur unless the monitoring setup changes, because the underlying condition is the same every time: nobody knew the certificate was entering its final 30 days.
Cloudflare's dashboard doesn't show a countdown to origin cert expiry. Your registrar's auto-renew is a separate system that doesn't watch SSL certificates. The only reliable way to know a certificate is approaching expiry is external monitoring — the same kind of check Cloudflare itself performs, running daily from outside your infrastructure.
ExpiryPing connects to your domain daily via TLS handshake and alerts you at 30, 14, 7, and 1 day before the certificate expires. By the time renewal is urgent, you've already had four notifications. Free for up to 3 domains, paid plans from $19/month.
The 526 error isn't the failure. The failure is the two weeks before it where the certificate was expiring and nothing said so.