SSL Certificate Error — an invalid client SSL certificate was presented
What 495 Means
The 495 error on the Nginx Server-Errors indicates ssl certificate error — an invalid client ssl certificate was presented. This typically occurs due to client presents an expired or revoked ssl certificate.
Nginx 495 is a custom response logged when a client attempts to connect using an SSL certificate that fails to validate. It specifically occurs during Mutual TLS configurations where the web server strictly demands and verifies a certificate from the client before acting.
Technical Background
The 495 code operates entirely at the transport security boundary. Unlike standard application-level authentication like passwords or tokens, this rejection happens during the initial TLS handshake layer before typical HTTP data is even processed.
This status is explicitly linked to client-side certificates. A normal web user strictly receiving data from an encrypted website will never trigger a 495. It is isolated to strict enterprise grids and high-security API perimeters.
Because the rejection occurs so early in connection establishment, Nginx intercepts the flow and writes the 495 to the access log. The client usually perceives this as a deep connection error or handshake failure.
Common Causes
- Client presents an expired or revoked SSL certificate
- Certificate signature chain is broken or missing
- Self-signed client certificate fails validation against the CA list
- Mutual TLS requirement rejects a fundamentally malformed certificate
Typical Scenarios
- A microservice presents an outdated security certificate to the central Nginx gateway
- A corporate user tries logging onto an internal portal using a revoked smartcard credential
- An API developer sends traffic using a self-signed identity certificate that lacks trust
What to Know
A 495 clearly indicates security misconfiguration at the identity level. Tracing the error invariably leads to inspecting the client's keystore, verifying certificate expiration dates, and ensuring the Nginx server possesses the correct Trusted Root Authority chains.
Frequently Asked Questions
Common questions about Nginx 495 error
It is triggered when Nginx is configured to require client certificates, and the connecting client provides one that is expired, revoked, or untrusted.
No. The 495 status is entirely custom to Nginx logging conventions for capturing Mutual TLS handshake failures at the edge.
The client application must be updated to present a valid, unexpired certificate that is properly trusted by the Nginx Root Authority configuration.