TL;DR
525 means Cloudflare cannot complete TLS with the www origin. Point www at the same target as the apex then add a 301 redirect from www to the apex.
Today I saw a clean 301 in Ahrefs ((BTW I do recomend free afref account for your site)) then a 525 at the end of the chain for tyloch.biz. I assumed it was a redirect bug. It was not. Cloudflare could not complete TLS with whatever www was pointing at. DNS did this not my content.
The signal#
Error 525 means Cloudflare cannot talk TLS to the origin. That is a wiring fault. Think of a doorbell that rings and no one opens the door. The redirect chain dies at the last hop.
If https://www.tyloch.biz shows 525 then Cloudflare is proxying a host that does not answer with a valid certificate.
The mistake#
My apex was on Pages but www still pointed to an old host. That mismatch is enough to break TLS. The fix is to point both hosts at the same place or to a clean redirect.
The fix#
- I added
www.tyloch.bizas a custom domain in my Pages project and waited for it to show Active. - In DNS I set the
wwwCNAME to the same Pages target as the apex and removed old A or CNAME records. - I kept it proxied. Full strict works once Pages is active.
Make one host the boss#
I wanted a single canonical host so I added a Page Rule that pushes www to the apex.
- URL pattern:
https://www.tyloch.biz/* - Setting: Forwarding URL
- Status: 301
- Destination:
https://tyloch.biz/$1
Once www and apex agree the chain is boring and boring is good. If Ahrefs still complains I wait for DNS caches and recheck.