Early access Faultline Teams — organizational memory for recurring CI failures across repos

SSL/TLS certificate error

A TLS/SSL certificate error prevented a secure connection.

ssl-cert-error high confidence network

Matched signals

  • certificate verify failed
  • ssl certificate problem
  • certificate has expired
  • tls handshake failed
  • unable to verify the first certificate
  • x509:
  • ssl_error
  • certificate signed by unknown authority

SSL/TLS certificate error

What this failure means

A TLS/SSL certificate error prevented a secure connection. The certificate was expired, self-signed, or signed by an untrusted certificate authority.

Symptoms

Faultline looks for one or more of these log fragments:

certificate verify failed
ssl certificate problem
certificate has expired
tls handshake failed
unable to verify the first certificate
x509:
ssl_error
certificate signed by unknown authority

Diagnosis

A TLS/SSL certificate error prevented a secure connection. The certificate was expired, self-signed, or signed by an untrusted certificate authority.

Fix steps

  1. Check whether the certificate has expired and inspect its subject and issuer:

    openssl s_client -servername <host> -connect <host>:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -dates -subject -issuer

  2. Verify the system clock on the CI runner is accurate — even a few minutes of drift can cause certificate validation to fail:

    date -u

  3. If connecting to an internal service, add the CA certificate to the system trust store (update-ca-certificates on Debian/Ubuntu, update-ca-trust on RHEL/CentOS).

  4. If the failure only appears in corporate CI, a TLS-intercepting proxy may be presenting its own certificate. Install the proxy’s root CA on the runner image.

  5. Contact the service owner if their certificate has genuinely expired.

Validation

  • openssl s_client -servername <host> -connect <host>:443 </dev/null 2>/dev/null | openssl x509 -noout -dates shows a notAfter date in the future.
  • date -u confirms the system clock is accurate.
  • Re-run the failing step and confirm the TLS handshake succeeds.

Why it matters

Certificate errors commonly occur when: a service’s certificate has expired, a self-signed certificate is not trusted by the system CA bundle, a corporate proxy intercepts TLS traffic with its own certificate, or the system clock on the CI runner is wrong.

Prevention

  • Set up automated certificate renewal (e.g., Let’s Encrypt with cert-manager or certbot).
  • Monitor certificate expiry dates and alert 30 days before expiry.
  • Test certificate validity in a scheduled CI job.
  • Bake required internal CA certificates into the base runner image instead of configuring trust ad hoc in individual jobs.

Try it locally

openssl s_client -connect <host>:443 </dev/null
openssl s_client -connect <host>:443 </dev/null

How Faultline detects it

Use faultline explain ssl-cert-error to see the full playbook.

faultline analyze build.log
faultline explain ssl-cert-error

Generated from playbooks/bundled/log/network/ssl-cert-error.yaml. Do not edit directly.

Try it on your own failed log

$ faultline analyze failed.log
Install Faultline CLI View on GitHub
Want this across every CI run? Faultline Teams tracks recurring failures across all your repos and surfaces patterns in a shared dashboard.