495 SSL Certificate Error

HTTP response status code 495 SSL Certificate Error is an unofficial client error specific to nginx. The server returns this code when client certificate verification fails.

Table of Contents

Usage

The 495 SSL Certificate Error status code indicates the client sent an invalid SSL certificate with the HTTP request. This is related to 400. Resolving this error requires resubmitting the request with a valid client certificate.

Common causes include expired certificates, certificates signed by an untrusted authority, and certificates with mismatched common names.

SEO impact

Search engines like Google do not index a URL with 495 SSL Certificate Error response status. URLs previously indexed with this code are removed from search results.

Example

A client sends a request with an expired client certificate. The nginx server rejects the request with 495 SSL Certificate Error.

Request

GET /secure/api HTTP/1.1
Host: www.example.re

Response

HTTP/1.1 495
Content-Type: text/html
Content-Length: 184

<html>
  <head>
    <title>SSL Certificate Error</title>
  </head>
  <body>
   <p>The SSL certificate presented is not
   valid. Verify the certificate and retry.</p>
  </body>
</html>

The nginx error log records the specific certificate verification failure:

SSL client certificate verify error:
(10:certificate has expired)

How to fix

Check the nginx error log first. The log entry identifies the exact verification failure with a numeric code:

SSL client certificate verify error:
(10:certificate has expired)
(2:unable to get issuer certificate)
(21:unable to verify the first certificate)

Verify the client certificate is not expired. Check the certificate dates with:

openssl x509 -enddate -noout -in client.pem

Renew the certificate before expiry to avoid service interruptions.

Ensure the full certificate chain is included. Intermediate certificates linking the client certificate to a trusted root must be bundled in the client request. Missing intermediates produce error code 2 or 21 in the nginx log.

Confirm the issuing CA is listed in the server's ssl_client_certificate file. This file must contain all trusted CA certificates (root and intermediate) in PEM format, concatenated:

ssl_client_certificate /etc/nginx/trusted_ca.pem;
ssl_verify_client on;
ssl_verify_depth 3;

The ssl_verify_depth directive controls how many intermediate certificates nginx traverses when building the chain. The default is 1, which is insufficient for chains with multiple intermediates.

Check key strength. Certificates with keys shorter than 2048 bits fail verification on systems enforcing modern security policies.

Increase the nginx error log verbosity to info level when debugging:

error_log /var/log/nginx/error.log info;

Use error_page 495 to serve a custom error page instead of the default nginx error:

error_page 495 /cert_error.html;

Regenerate the client certificate if the private key is compromised or the certificate file is corrupted.

Takeaway

The 495 SSL Certificate Error status code is a nginx client error sent when the client submits a request with an invalid SSL certificate.

See also

Last updated: March 4, 2026