DNS and SSL Diagnostics
Learning Focus
By the end of this lesson you will be able to use CLI tools to diagnose DNS issues, understand common SSL error codes, and troubleshoot the most frequent origin connection errors.
The Troubleshooting Toolkit
Before reaching out to support, use these CLI tools to diagnose where the issue lies:
| Tool | Purpose | Command |
|---|---|---|
| curl | Test HTTP responses and headers | curl -Iv https://example.com |
| dig | Verify DNS records and resolution | dig +short example.com |
| traceroute | Map the network path to host | traceroute example.com |
| Cloudflare Trace | Check Edge connectivity/POPs | curl https://example.com/cdn-cgi/trace |
DNS Issues
1. Records Not Propagating
If you added a record but it's not showing up:
- Check Nameservers: Run
dig +short NS example.com. You should see Cloudflare's nameservers (e.g.,ns1.cloudflare.com). - Proxy Status: If the record is "Proxied" (orange cloud),
digwill return Cloudflare IPs, not your origin IP. This is expected! - TTL: Changes can take as long as the TTL (Time To Live). Cloudflare's "Auto" TTL is typically ~300s.
2. "NXDOMAIN" Error
- Meaning: The domain doesn't exist.
- Fix: Check that the CNAME or A record is exactly correct and that the root domain is properly configured.
SSL/TLS Issues
1. "Too Many Redirects" (ERR_TOO_MANY_REDIRECTS)
- Cause: Redirect loop between Cloudflare and your origin. Usually occurs when Cloudflare is set to "Flexible" SSL, but your origin forces HTTPS.
- Solution: Set SSL/TLS mode to Full (Strict).
2. "SSL Handshake Failed" (Error 525)
- Cause: Cloudflare couldn't negotiate a secure connection with your origin server.
- Check:
- Does your origin server have a valid certificate (even if self-signed)?
- Is your origin listening on port 443?
- Does your origin support modern TLS versions (1.2 or 1.3)?
3. "Invalid SSL Certificate" (Error 526)
- Cause: Occurs with Full (Strict) mode when your origin's certificate is invalid or expired.
- Solution: Install a valid certificate (from CA or Cloudflare Origin CA) and ensure the hostname matches the certificate.
Origin Connectivity Issues
Error 521: Web Server Is Down
- Cause: Cloudflare tried to connect to your origin, but it refused the connection.
- Check: Is your web server (Nginx/Apache) running? Is port 80/443 open? Is your firewall blocking Cloudflare's IPs?
Error 522: Connection Timed Out
- Cause: Cloudflare reached your network, but couldn't establish a TCP connection within 15 seconds.
- Check: Usually a firewall or networking issue. Ensure all Cloudflare IP ranges (cloudflare.com/ips) are whitelisted.
Error 524: A Timeout Occurred
- Cause: Cloudflare established a connection, but the origin didn't send an HTTP response before the 100-second timeout.
- Check: Long-running database queries, expensive scripts, or origin server overload.
tip
Cloudflare 5xx errors typically include the POPP (Data Center) code in the footer (e.g., sjc). Check cloudflarestatus.com to see if that specific data center is having an outage.
Key Takeaways
- Use curl, dig, and trace to isolate problems at the edge or origin.
- SSL Loops are usually caused by "Flexible" mode — use Full (Strict).
- Error 521/522 usually mean your firewall is blocking Cloudflare.
- Error 524 means your origin server is taking too long to respond.
- Always check the Cloudflare Status Page if you suspect a global issue.
What's Next
- Continue to Reference and Cheatsheet for a quick guide to commands and codes.