How do you fix Cloudflare 525 on a Caddy origin?

Check origin certificate validity, confirm port 443 is open, verify SNI with openssl, and inspect Caddy logs for handshake errors before changing other settings.

Question

How to fix Cloudflare 525 with Caddy

If Cloudflare shows Error 525, it means the SSL handshake to your origin failed. In practice, this is usually a certificate, port, or SNI mismatch.

Fast recovery checklist

Cloudflare SSL mode: keep Full (strict) only when origin cert is valid for your hostname.
Verify origin HTTPS on port 443 is open in firewall and listening on server.
Confirm Caddy site block includes the exact domain name and TLS configuration.
Run one SNI test and one curl test from the server before changing more settings.

Commands that usually surface the root cause

sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl status caddy --no-pager -n 20
sudo journalctl -u caddy --since '30 minutes ago' --no-pager | tail -n 80

curl -Iv --resolve yourdomain.com:443:ORIGIN_IP https://yourdomain.com/
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts </dev/null | head -n 60
sudo ss -lntp | grep :443

Common operator mistake

People often switch many settings at once. Fix one failed check first, then retest through Cloudflare. This avoids long trial-and-error loops.

If Cloudflare shows 526 instead of 525, use this checklist: How to fix Cloudflare 526 invalid certificate.

Generate a checklist for your setup