Troubleshooting
If your query returns an error even after configuring and embedding a client SSL certificate, check the following settings.
On your terminal, use the following command to check whether an SSL/TLS connection can be established successfully between the client and the API endpoint.
curl --verbose --cert /path/to/certificate.pem --key /path/to/key.pem https://your-api-endpoint.comIf the SSL/TLS handshake cannot be completed, check whether the certificate and the private key are correct. If the handshake completes but requests are still blocked, confirm that Cloudflare is verifying the client certificate.
Check whether mTLS has been enabled for the correct host. The host should match the API endpoint that you want to protect.
To review mTLS rules, consider the steps below. For further guidance refer to Custom rules.
-
In the Cloudflare dashboard, go to the Security rules page.
Go to Security rules -
On a specific rule, select Edit.
-
On that rule, check whether:
-
The Expression Preview is correct.
-
The hostname, if defined, matches your API endpoint. For example, for the API endpoint
api.trackers.ninja/time, the rule should look like:(http.host in {"api.trackers.ninja"} and not cf.tls_client_auth.cert_verified)
-
-
To edit the rule, either use the user interface or select Edit expression.
You can use Cloudflare Workers to debug client certificate validation failures.
-
Create a Worker to debug print cf.properties:
JavaScript export default {async fetch(request, env, ctx) {console.info({ message: JSON.stringify(request.cf, null, 2) });return new Response(JSON.stringify(request.cf, null, 2))}}; -
Associate the Worker with the hostname where mTLS is enabled using a Worker route or a Custom Domain.
-
Make requests to the hostname and/or path configured, with and without sending the mTLS client certificate.
-
View your logs on the Observability dashboard and compare the responses against the expected values listed below.
Go to Observability
-
Valid certificate
"tlsClientAuth": {"certPresented": "1","certVerified": "SUCCESS",}, -
Invalid certificate (for example, self-signed certificates)
"tlsClientAuth": {"certPresented": "1","certVerified": "FAILED:self signed certificate",}, -
No certificate
"tlsClientAuth": {"certPresented": "0","certVerified": "NONE",},
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
