Cloudflare 525 Error
Learning Focus
By the end of this lesson you will understand what causes Cloudflare 525 SSL Handshake Failed errors and how to fix the origin SSL configuration in OpenLiteSpeed.
What a 525 Means
A 525 error means Cloudflare could not complete the TLS handshake with your origin server. The connection reached your server, but the SSL negotiation failed before any data was exchanged.
Common Causes
| Cause | Likelihood | How to Check |
|---|---|---|
| SSL listener not enabled | Very common | WebAdmin → Listeners → check port 443 |
| Wrong certificate path | Very common | ls -la /path/to/cert.pem |
| Mismatched cert and key | Common | openssl verify (see below) |
| TLS versions incompatible | Occasional | Check listener TLS settings |
| Firewall blocking port 443 | Occasional | sudo ufw status or iptables -L |
| Expired certificate | Occasional | openssl x509 -enddate -noout -in cert.pem |
Diagnostic Steps
Step 1: Verify the SSL Listener Exists
# Check if OpenLiteSpeed is listening on 443
sudo netstat -tlnp | grep 443
# Or using ss
sudo ss -tlnp | grep 443
If nothing is listening on 443, the SSL listener is not configured or not started.
Step 2: Test the TLS Handshake Directly
# Test from the server itself (bypassing Cloudflare)
openssl s_client -connect localhost:443 -servername example.com
# Look for:
# - "Verify return code: 0 (ok)" → certificate is valid
# - "SSL handshake has read ... bytes" → handshake completed
# - Errors like "Connection refused" → listener not running
Step 3: Verify Certificate and Key Match
# Get the certificate modulus hash
openssl x509 -noout -modulus -in /path/to/cert.pem | md5sum
# Get the key modulus hash
openssl rsa -noout -modulus -in /path/to/key.pem | md5sum
# These two hashes MUST match
Step 4: Check Certificate Expiry
openssl x509 -in /path/to/cert.pem -noout -dates
# notBefore=...
# notAfter=...
Step 5: Check Firewall
# UFW
sudo ufw status | grep 443
# iptables
sudo iptables -L -n | grep 443
Fix Checklist
| Fix | Command |
|---|---|
| Create SSL listener on 443 | Configure in WebAdmin → Listeners |
| Fix certificate path | Update path in WebAdmin → Listener → SSL |
| Regenerate matching cert/key | Re-issue from CA and upload both files |
| Open port 443 in firewall | sudo ufw allow 443/tcp |
| Reload after changes | sudo /usr/local/lsws/bin/lswsctrl restart |
warning
After fixing any SSL configuration, always test with openssl s_client before assuming the fix worked. Browser caching and Cloudflare edge caching can hide persistent issues.
Key Takeaways
- 525 is a handshake problem between Cloudflare and your server, not a certificate trust issue.
- The most common cause is a missing or misconfigured SSL listener on port 443.
- Always verify with
openssl s_client— it tests the exact handshake Cloudflare performs. - Check certificate path, key match, expiry, and firewall rules systematically.
What's Next
- Continue to Cloudflare 526 Error for certificate validation failures.