SSL Certificate Required
Production Risk
Low — affects only clients that have not been provisioned with the correct client certificate.
496 SSL Certificate Required is an nginx extension indicating that the client did not provide a certificate during an mTLS handshake, but the server requires one. This is distinct from 495 (invalid certificate presented) — here, no certificate was sent at all.
- 1The nginx server requires client certificate authentication (ssl_verify_client on) but the client sent no certificate.
- 2The client application is not configured with a client certificate for this endpoint.
- 3A client that was not designed for mTLS is attempting to connect to an mTLS-only endpoint.
A client makes an HTTPS request to an nginx mTLS endpoint without sending a client certificate.
# Client connects with no client certificate curl https://api.example.com/secure # No --cert flag provided
expected output
HTTP/1.1 496 SSL Certificate Required
Fix
Provide a client certificate in the request
WHEN The endpoint requires mTLS.
curl --cert client.crt --key client.key https://api.example.com/secure
Why this works
Sends the client certificate during the TLS handshake, satisfying the server's mTLS requirement.
✕ Do not disable ssl_verify_client to bypass this error
This removes the mutual authentication requirement, weakening the security model.
nginx-specific extension. Not a standard IETF code.
nginx SSL module documentation
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#496 ↗Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev