Back to website Login
There was a problem loading the comments.

Cloudflare 525/526 errors: fix SSL handshake and origin certificate (GARMTECH Hosting)

Support Portal  »  Knowledgebase  »  Viewing Article
  Print

If your website uses Cloudflare and you see Error 525 or Error 526, Cloudflare cannot establish a valid HTTPS connection to your origin server (your GARMTECH hosting server).

What the errors mean

  • 525 — SSL handshake failed: Cloudflare could not complete the TLS handshake with the origin (network/TLS configuration problem).
  • 526 — Invalid SSL certificate: Cloudflare connected to the origin, but the origin certificate is not valid (commonly happens with Full (strict) when the origin uses self-signed or mismatched certificate).

Step 1 — Confirm the site works directly on the origin

Temporarily set the Cloudflare record to DNS only (grey cloud) for the affected hostname (for example, example.com and www). Then check:

After testing, you can enable proxy again.

Step 2 — Install or renew a valid SSL certificate in Plesk

  1. Open Plesk from My.GARMTECH.
  2. Go to Websites & Domains → your domain → Let’s Encrypt.
  3. Issue/renew a certificate for the domain and www (and any other hostnames you proxy in Cloudflare).
  4. Make sure the certificate is selected for the domain in Hosting Settings / SSL/TLS Certificates.

Step 3 — Set the correct SSL mode in Cloudflare

Recommended Cloudflare SSL mode for production is usually:

  • Full (strict) — requires a valid certificate on your GARMTECH origin (Let’s Encrypt is OK)

Avoid “Flexible” for production websites. Flexible makes Cloudflare connect to the origin over HTTP and often causes redirect loops when the origin enforces HTTPS.

Step 4 — Check common causes on the origin

  • Certificate mismatch: the origin certificate must include the exact hostname (e.g., www.example.com).
  • Expired certificate: renew it in Plesk.
  • TLS settings: if you use very old TLS versions/ciphers on the origin, Cloudflare may fail the handshake. Use standard modern TLS (Plesk defaults are usually fine).
  • Firewall rules: make sure your website does not block Cloudflare IP ranges.

Step 5 — Re-enable Cloudflare proxy

After the origin serves a valid HTTPS certificate, switch the Cloudflare record back to Proxied (orange cloud) and test again.

Still seeing the error?

  • Purge Cloudflare cache after certificate changes.
  • Verify that the error happens for the same hostname that Cloudflare proxies (root, www, subdomain).
Share via
Did you find this article useful?  

Related Articles

Comments

Add Comment

Replying to  

Categories

Tags

© GARMTECH