Cloudflare 525 / Traefik
Cloudflare 525 means Cloudflare reached the origin but could not complete a TLS handshake.
Checklist
- Confirm DNS A/AAAA records point to the VPS that runs Traefik.
- Confirm the origin accepts traffic on port 443.
- Inspect Traefik logs for ACME or certificate errors.
- Verify Cloudflare SSL mode is compatible with the origin certificate.
- Check stale IPv6 records if one hostname fails and another works.
- Confirm the Docker router has the expected
Host()rule and network.
Notes
Fixing one subdomain does not automatically fix another. Compare records and certificates per hostname.
Related page: Traefik.