How do you fix Cloudflare 525 on Nginx?

Check the Nginx certificate chain, server_name/SNI mapping, TLS settings on port 443, then confirm the same hostname works with openssl and curl against the origin IP before retesting via Cloudflare.

Question

How to fix Cloudflare 525 with Nginx

Cloudflare 525 means the edge reached your server but could not finish TLS handshake. On Nginx, the root cause is usually one of three things: wrong cert chain, wrong server block/SNI, or broken TLS listener on 443.

Triage in the order operators actually use

Confirm Nginx is listening on 443 ssl and the expected host is in the active server block.
Check certificate and intermediate chain files configured in ssl_certificate and ssl_certificate_key.
Verify the same hostname handshake works when forced to your origin IP.
Only after origin passes, retest through Cloudflare.

Command block for first response

sudo nginx -t
sudo systemctl status nginx --no-pager -n 30
sudo journalctl -u nginx --since '30 minutes ago' --no-pager | tail -n 120

sudo ss -lntp | grep ':443'
sudo nginx -T | sed -n '/server_name yourdomain.com/,+50p'

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts </dev/null | head -n 80
curl -Iv --resolve yourdomain.com:443:ORIGIN_IP https://yourdomain.com/

Frequent Nginx mistakes

Serving leaf cert only, without intermediate chain.
Default TLS server block catches the request, so wrong cert is returned.
Old copied TLS config disables modern ciphers/protocols unexpectedly.

If you see certificate validation errors instead of handshake errors, use this page next: How to fix Cloudflare 526 invalid certificate.

Using Caddy instead of Nginx? Follow: How to fix Cloudflare 525 with Caddy.

Generate a checklist for your current stack