533 Upstream TLS Error
The HTTP 533 Upstream TLS Error status code is an unofficial server error specific to Edgio (formerly Layer0). The Edgio platform returns this code when an edge server or serverless compute worker is unable to complete a TLS handshake with the origin server.
Usage
When Edgio forwards a request to an origin over HTTPS, the platform initiates a TLS handshake before transmitting application data. If the handshake fails, Edgio returns a 533 to the client. Unlike 531, where no TCP connection is established at all, a 533 indicates TCP connectivity succeeded but the TLS negotiation broke down.
Common causes include:
- The origin's TLS certificate has expired.
- The certificate's Subject Alternative Name (SAN) does not match the hostname Edgio uses to connect.
- The origin only supports TLS protocol versions or cipher suites incompatible with Edgio's requirements.
- A self-signed certificate is presented without Edgio being configured to trust the signing authority.
Note
Edgio validates the origin certificate during the upstream TLS handshake. A hostname mismatch between the configured origin and the certificate's SAN field triggers a 533 even when the certificate is otherwise valid.
SEO impact
Search engines treat Edgio 533 responses as server errors. Persistent TLS handshake failures reduce crawl rate and prevent indexing of affected URLs. Fixing the origin TLS configuration restores normal crawling.
Example
A client requests a page through Edgio. The origin presents an expired TLS certificate, and Edgio returns a 533 error.
Request
GET /account HTTP/1.1
Host: www.example.re
Accept: text/html
Response
HTTP/1.1 533 Upstream TLS Error
Date: Mon, 02 Mar 2026 14:20:00 GMT
Content-Type: text/html
Server: ECAcc (dce/26A1)
<html>
<head><title>533 TLS Error</title></head>
<body>
<h1>533 Upstream TLS Error</h1>
<p>Unable to establish a TLS connection to origin</p>
</body>
</html>
How to fix
Check the origin server's TLS certificate expiration
date. Run openssl s_client -connect origin:443 and
inspect the Not After field. Renew the certificate
before expiry or replace an already-expired
certificate.
Verify the certificate's SAN entries include the
exact hostname configured as the origin in the Edgio
project settings. A certificate issued for
www.example.re does not cover api.example.re
unless the SAN lists both or uses a wildcard
(*.example.re).
Confirm the origin supports TLS 1.2 or later. Older protocol versions (TLS 1.0, TLS 1.1) are deprecated and Edgio does not negotiate connections using them. Update the origin's TLS configuration to enable TLS 1.2 or TLS 1.3.
Review the origin's cipher suite configuration. The origin must offer at least one cipher suite compatible with Edgio's TLS client. Modern cipher suites based on AES-GCM or ChaCha20-Poly1305 are widely supported.
For self-signed certificates, configure the Edgio project to disable upstream certificate validation or add the signing CA to the trusted certificate store in the project configuration.
Takeaway
The 533 Upstream TLS Error is an Edgio-specific status code indicating a TLS handshake failure between the Edgio platform and the origin server, most commonly caused by expired certificates, hostname mismatches, or unsupported TLS versions.
See also
- 531 Upstream Connection Error
- 525 SSL Handshake Failed
- 526 Invalid SSL Certificate
- HSTS
- HTTP status codes