What this error means
Error 522: Connection timed out means name resolution, origin connectivity, or TLS certificate validation failed before the application request could complete.
Why this happens
DNS and TLS failures often happen outside the application: resolver cache, authoritative records, proxy mode, origin firewall, or CA trust.
For Cloudflare error 522 connection timed out, separate DNS, CDN/proxy, origin, and certificate checks instead of changing app code first.
Quick fixes
- Check the exact hostname, not just the apex domain.
- Confirm the origin responds directly, allow Cloudflare IP ranges, and verify DNS points to the correct server.
- Compare direct origin behavior with proxied/CDN behavior when possible.
- Retry after DNS TTL or certificate deployment has had time to propagate.
Copy-paste commands
Query DNS records
dig example.com A
dig example.com CNAME
Check HTTP response headers
curl -I https://example.com
Inspect TLS certificate chain
openssl s_client -connect example.com:443 -servername example.com </dev/null
Flush macOS DNS cache
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
Real-world fixes
- If Cloudflare is enabled, test whether the origin responds when accessed directly.
- If only one network fails, compare DNS resolver answers before changing server config.
- Confirm the origin responds directly, allow Cloudflare IP ranges, and verify DNS points to the correct server.
Step-by-step troubleshooting
- Confirm the browser, client, or log reports
Error 522: Connection timed outfor the same hostname. - Use
digto verify the authoritative DNS answer. - Use
curl -Ito check whether the hostname reaches the expected service. - Use
openssl s_clientto inspect certificate hostname, issuer, and expiry. - If a CDN is involved, compare proxied and direct-origin behavior.
Platform-specific fixes
macOS
- Use
dscacheutilto clear local DNS cache after changing records.
Linux
- Use
digorresolvectl queryto compare resolver answers.
Windows
- Use
ipconfig /flushdnsafter DNS changes, then retest the exact hostname.
How to prevent it
- Track DNS changes with owner, TTL, and expected target.
- Monitor certificate expiry before renewal windows close.
- Keep CDN SSL mode and origin certificate configuration documented.