If your site is behind Cloudflare and HTTPS is failing, the issue is usually a mismatch between Cloudflare, your origin server, or both.
This guide explains how to fix Cloudflare SSL not working with clear checks that restore secure connections without guesswork.
What Cloudflare SSL Does and Why It Breaks
Cloudflare sits between visitors and your origin server, handling TLS encryption for the browser-to-Cloudflare connection and, depending on configuration, the Cloudflare-to-origin connection as well.
When SSL fails, common symptoms include browser warnings, redirect loops, the 525, 526, or 527 errors, and sites that load over HTTP even though HTTPS is enabled.
The most common causes are a wrong SSL mode, an expired or missing origin certificate, incorrect DNS records, mixed content, or a server that does not support the TLS requirements Cloudflare expects.
Check Your Cloudflare SSL Mode First
The SSL/TLS mode in the Cloudflare dashboard is the first place to look because it defines how Cloudflare connects to your origin server.
What the modes mean
- Off: No encryption between visitors and Cloudflare or Cloudflare and your origin.
- Flexible: Encrypts browser-to-Cloudflare traffic only, not Cloudflare-to-origin traffic.
- Full: Encrypts both connections, but does not require a trusted certificate on the origin.
- Full (Strict): Encrypts both connections and requires a valid certificate on the origin.
For most production sites, Full (Strict) is the recommended setting.
If Cloudflare SSL is not working, confirm the mode matches your origin certificate setup.
A common failure occurs when a site is set to Full (Strict) but the origin has an expired, self-signed, or hostname-mismatched certificate.
Verify the Origin Certificate on Your Server
Cloudflare can only validate the origin connection if your server presents a certificate that matches the domain being requested.
If you use a standard certificate from a certificate authority, ensure it is not expired and includes the correct domain names, including the apex domain and any www or subdomain variants.
If you prefer a Cloudflare Origin Certificate, install it correctly on your web server and make sure the private key matches the certificate file.
Origin certificates are trusted by Cloudflare, not by browsers, so they are intended for the server side of the connection.
Common origin certificate problems include:
- Certificate expired or not yet valid
- Wrong hostname in the Subject Alternative Name list
- Private key mismatch
- Certificate installed on the wrong virtual host or server block
- Incomplete certificate chain on the origin server
Confirm DNS Records Point to the Correct Server
Cloudflare SSL issues are often mistaken for certificate failures when the actual problem is a DNS misconfiguration.
In the Cloudflare DNS tab, check that the A, AAAA, or CNAME records point to the correct origin or hosting endpoint.
If your record is proxied through Cloudflare, the orange cloud should be enabled.
If you are testing direct origin access, temporarily switch the record to DNS only and verify the server’s certificate directly.
Also confirm there are no stale records pointing to an old host, load balancer, or migration target.
Fix Redirect Loops Caused by HTTPS Rules
Redirect loops are one of the most frustrating symptoms when trying to fix Cloudflare SSL not working.
They usually happen when both Cloudflare and the origin server are forcing HTTPS in ways that conflict.
For example, Flexible SSL can trigger a loop if your origin redirects all traffic from HTTP to HTTPS while Cloudflare connects to the origin over HTTP.
In that case, Cloudflare requests the HTTP page, the origin redirects to HTTPS, and the cycle repeats.
To resolve redirect loops:
- Use Full or Full (Strict) instead of Flexible when possible.
- Check server-level redirects in Nginx, Apache, LiteSpeed, or application code.
- Review Cloudflare Page Rules, Bulk Redirects, and Redirect Rules.
- Avoid duplicate HTTPS enforcement in plugins or CMS settings.
Inspect Mixed Content on the Page
Even when the SSL connection is working, browsers may show security warnings if the page loads scripts, images, fonts, or stylesheets over HTTP.
This is known as mixed content and is common on WordPress sites, especially after a migration.
Open the browser developer console and look for blocked requests marked as insecure.
Then update hardcoded URLs in your database, theme files, or custom code so every resource loads over HTTPS.
In WordPress, plugins and search-and-replace tools can help update legacy URLs, but always back up the database first.
Check Server TLS Support and Cipher Compatibility
Cloudflare expects the origin to support modern TLS protocols and ciphers.
If the server is outdated, SSL handshakes can fail even if the certificate is valid.
This is especially relevant on older hosting environments, unmanaged VPS setups, and legacy control panels.
Make sure the origin supports TLS 1.2 or newer and uses a compatible certificate type.
Some misconfigured servers disable SNI support or only present a default certificate that does not match the requested hostname.
If you have shell access, tools like openssl s_client can help you inspect the certificate chain and handshake behavior.
If not, your host can usually confirm whether the origin server is negotiating TLS correctly.
Review Cloudflare Security and Edge Settings
Cloudflare features can affect SSL behavior indirectly.
If you recently changed settings, review the following areas:
- Always Use HTTPS: Forces browser traffic to HTTPS and can interact with origin redirects.
- Automatic HTTPS Rewrites: Helps rewrite HTTP links, but does not fix all hardcoded content.
- Universal SSL: Ensure it is active for the zone.
- Certificate Transparency: Confirm issuance is complete if a new certificate was generated.
- HSTS: Can make browser-side HTTPS failures appear more severe if the origin is not ready.
If a certificate was recently renewed or the zone was just added to Cloudflare, propagation may take time.
However, persistent failures usually point to an origin or configuration issue rather than a delay.
How to Troubleshoot Specific Cloudflare SSL Errors
What does 525 SSL handshake failed mean?
A 525 error usually means Cloudflare could not complete the TLS handshake with the origin.
Common causes include certificate problems, unsupported cipher suites, or server-side TLS misconfiguration.
What does 526 invalid SSL certificate mean?
A 526 error means Cloudflare reached the origin, but the origin certificate failed validation.
This is often caused by an expired certificate, a hostname mismatch, or a missing intermediate certificate.
What does 527 Railgun error mean?
A 527 error is less common and is usually related to Cloudflare Railgun or a specific network path issue rather than a standard certificate problem.
If you see it, review your origin connectivity and any advanced network features in use.
Use a Practical Fix Order
If you want the fastest path to resolution, follow this order:
- Confirm the Cloudflare SSL/TLS mode.
- Verify the origin certificate is valid and matches the hostname.
- Check DNS records and make sure they point to the right server.
- Look for redirect loops and duplicate HTTPS rules.
- Scan for mixed content in the browser console.
- Validate TLS support on the origin server.
- Review Cloudflare edge features that may interfere with SSL behavior.
When to Contact Your Hosting Provider
If Cloudflare settings look correct but SSL still fails, the problem may be on the server side.
Contact your host if you suspect firewall blocking, broken TLS configuration, expired host certificates, unsupported cipher suites, or reverse proxy issues.
Provide them with the exact Cloudflare error code, your domain name, and the results of any certificate checks so they can identify the failure faster.
For WordPress, Magento, WooCommerce, or custom PHP applications, also verify that the application itself is generating secure URLs and that no plugin is forcing an incompatible redirect pattern.