SSL Certificate Error
Production Risk
Medium — indicates a broken mTLS setup. Clients cannot authenticate until the certificate issue is resolved.
495 SSL Certificate Error is an nginx extension used when a client presents an invalid SSL certificate during mutual TLS (mTLS) authentication. It is used to distinguish client certificate errors from other 400-class errors.
- 1The client's SSL certificate has expired.
- 2The client's certificate is not signed by a trusted CA configured in nginx.
- 3The client's certificate has been revoked.
- 4The client sent a malformed certificate or no certificate when one is required.
An mTLS endpoint where client certificate authentication is required and the client presents an expired certificate.
# nginx.conf ssl_verify_client on; ssl_client_certificate /etc/nginx/ca.crt; # Client connects with expired/invalid cert
expected output
HTTP/1.1 495 SSL Certificate Error
Fix
Renew or replace the client certificate
WHEN The client certificate is expired or invalid.
# Generate new client certificate openssl req -new -key client.key -out client.csr # Sign with your CA and distribute to the client
Why this works
Provides the client with a valid, trusted certificate for mTLS authentication.
✕ Do not set ssl_verify_client off to work around 495
This disables client certificate verification entirely, removing mTLS security.
nginx-specific extension for mTLS error reporting. Not a standard IETF code.
nginx SSL module documentation
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#495 ↗Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev