In this tutorial, we will review the most common error messages (5XX) found on websites whose domains use Cloudflare name servers (NS), their meaning, and possible solutions.
For example, errors 521, 522, and 523 are usually related to server reachability, while 525 and 526 are related to SSL/TLS encryption between Cloudflare and the website server.
Where to Start?
If a 5XX error was detected, first check the website:
using another internet browser;
on another device, for example, a phone;
using a different internet connection (for example, mobile data).
If the error can be reproduced, it is likely that the issue is between Cloudflare and the website server.
It is also important to check for any ongoing outages or disruptions on Cloudflare’s side. You can see this on their website:
Error Numbers
Error 521
521 Web server is down indicates that Cloudflare tried to connect to the website’s server, but the connection failed. The most common reasons are:
the website’s web server is unreachable (offline);
Cloudflare requests are being blocked.
Error 522
522 Connection timed out means that Cloudflare tried to connect to the server but did not receive a response in time. According to Cloudflare documentation, this may happen when:
the server does not respond quickly enough during the initial connection;
or it does not confirm requests after the connection is established.
Note: The main difference between errors 521 and 522 is:
In the 521 case, the server completely rejects the connection.
In the 522 case, Cloudflare waits, but the server does not respond in time.
Error 523
523 Origin is unreachable means that Cloudflare cannot reach the server whose IP address is specified in the DNS record. This usually happens for one of two reasons:
there is no proper connection between Cloudflare and the server;
or the DNS record contains an incorrect IP address.
Error 525
525 SSL handshake failed means that Cloudflare could not securely connect to the website server. This error is most commonly found when Cloudflare SSL/TLS mode is set to Full or Full (Strict), but the server cannot properly accept HTTPS traffic.
In such cases, the problem may be solved by changing the encryption mode to
Flexible.
Error 526
526 Invalid SSL certificate means that Cloudflare could not verify the server’s SSL certificate. This usually happens when:
the Cloudflare setting is Full (Strict) mode;
but the server’s SSL certificate is invalid or does not meet the requirements (for example, incorrectly installed or expired).
Note: The main difference between errors 525 and 526 is:
Error 525 — SSL communication between Cloudflare and the server could not be established.
Error 526 — the connection to the server succeeded, but Cloudflare could not validate the SSL certificate.
More information about these errors can be found on the Cloudflare help page.