SSL/TLS Errors with Proxies: Certificate Issues and Fixes

By /

SSL/TLS Errors with Proxies: Certificate Issues and Fixes

SSL/TLS errors when using a proxy server are among the most confusing issues to troubleshoot. The error messages are often vague, the underlying causes are technical, and the fixes vary significantly depending on the proxy type, client application, and operating system.

At their core, these errors indicate that the TLS handshake between your client and the target server (or between your client and the proxy) failed. The handshake may fail because of an untrusted certificate, a protocol mismatch, or an interception attempt. This guide covers every common scenario and provides practical solutions.

How TLS Works with Proxies

Understanding the TLS flow through a proxy is essential for diagnosing certificate errors.

HTTP Proxy with CONNECT

When you make an HTTPS request through an HTTP proxy, the process is:

  1. Your client sends a CONNECT target.com:443 request to the proxy
  2. The proxy establishes a TCP connection to target.com:443
  3. The proxy returns 200 Connection Established to your client
  4. Your client performs a TLS handshake directly with target.com through the proxy tunnel
  5. The proxy cannot see or modify the encrypted traffic

In this mode, the proxy is transparent to TLS. Certificate errors originate from the TLS handshake between your client and the target server, exactly as they would without a proxy.

HTTPS Proxy (TLS to Proxy)

Some proxies accept TLS connections from the client to the proxy itself:

  1. Your client performs a TLS handshake with the proxy server
  2. Inside that encrypted tunnel, your client sends a CONNECT request
  3. The proxy connects to the target and establishes another TLS session

This involves two TLS sessions: client-to-proxy and proxy-to-target. Certificate errors can occur in either session.

SSL/TLS Inspection Proxy

Enterprise and security proxies may perform TLS inspection (also called SSL interception or MITM):

  1. Your client connects to the proxy
  2. The proxy establishes a TLS connection to the target server
  3. The proxy generates a certificate for the target domain, signed by the proxy’s own CA
  4. The proxy presents this generated certificate to your client

If your client does not trust the proxy’s CA certificate, you get a certificate error.

Common SSL/TLS Errors and Fixes

Error: Certificate Is Not Trusted / Unknown CA

Cause: The certificate presented during the TLS handshake is signed by a certificate authority your system does not trust. This is common with:

  • SSL inspection proxies that generate certificates on the fly
  • Self-hosted proxies using self-signed certificates
  • Expired or incomplete certificate chains

Fix for SSL inspection proxies:

Install the proxy’s root CA certificate on your system:

Windows:

# Import CA certificate to trusted root store
certutil -addstore -f "ROOT" proxy-ca.crt

macOS:

# Add to system keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain proxy-ca.crt

Linux:

# Ubuntu/Debian
sudo cp proxy-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# CentOS/RHEL
sudo cp proxy-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Python:

import requests

# Point to the CA bundle that includes the proxy's CA
response = requests.get(url, proxies=proxies, verify="/path/to/ca-bundle.crt")

# Or append the proxy CA to the system bundle
import certifi
ca_bundle = certifi.where()
# Append proxy-ca.crt to this file

Error: Certificate Has Expired

Cause: The TLS certificate presented by either the proxy server or the target website has expired.

Fix:

  • If the expired certificate is on the proxy server, contact your proxy provider or renew the certificate if you manage the proxy
  • If the expired certificate is on the target website, the issue is not proxy-related
  • Verify your system clock is accurate, as a significantly wrong system time can cause valid certificates to appear expired
# Check the certificate expiration
echo | openssl s_client -connect proxy.example.com:8080 2>/dev/null | openssl x509 -noout -dates

Error: Hostname Mismatch

Cause: The certificate’s Common Name (CN) or Subject Alternative Name (SAN) does not match the hostname you are connecting to.

Fix:

  • Verify you are using the correct proxy hostname (not an IP address if the certificate is issued to a hostname)
  • If connecting by IP, the certificate must include the IP in its SAN field, which is uncommon
  • For self-hosted proxies, reissue the certificate with the correct hostname

Error: SSL Version or Cipher Mismatch

Cause: Your client and the proxy/target server cannot agree on a TLS version or cipher suite.

Fix:

# Test which TLS versions the proxy supports
openssl s_client -connect proxy.example.com:8080 -tls1_2
openssl s_client -connect proxy.example.com:8080 -tls1_3

Update your client to support modern TLS versions. If the proxy only supports older protocols (TLS 1.0 or 1.1), request an upgrade from your provider, as these versions have known security vulnerabilities.

Error: Certificate Pinning Failure

Cause: The target website or application uses certificate pinning, which specifies exactly which certificates are trusted. An SSL inspection proxy that generates its own certificates will break pinning.

Fix:

  • Bypass the SSL inspection proxy for pinned domains by adding them to the proxy’s bypass list
  • In enterprise environments, configure the proxy to pass through (not inspect) traffic to pinned domains
  • If you control the application, update the pinned certificate set to include the proxy’s CA

Platform-Specific Solutions

cURL

# Specify CA bundle
curl -x http://proxy:8080 --cacert /path/to/ca-bundle.crt https://target.com

# Skip certificate verification (testing only)
curl -x http://proxy:8080 -k https://target.com

# Debug TLS handshake
curl -x http://proxy:8080 -v https://target.com 2>&1 | grep -A5 "SSL"

Python Requests

import requests

# Custom CA bundle
response = requests.get(url, proxies=proxies, verify="/path/to/ca-bundle.crt")

# Disable verification (testing only, never in production)
response = requests.get(url, proxies=proxies, verify=False)

Node.js

const https = require('https');
const fs = require('fs');

// Add custom CA
const agent = new https.Agent({
  ca: fs.readFileSync('/path/to/proxy-ca.crt'),
  proxy: { host: 'proxy', port: 8080 }
});

// Disable verification (testing only)
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Java

# Import CA into Java keystore
keytool -importcert -file proxy-ca.crt -keystore $JAVA_HOME/lib/security/cacerts -alias proxy-ca

Debugging TLS Issues

Inspecting the Certificate Chain

# View the full certificate chain through the proxy
openssl s_client -connect target.com:443 -proxy proxy.example.com:8080 -showcerts

This shows every certificate in the chain. Look for:

  • The leaf certificate (should match the target domain)
  • Intermediate certificates (should chain to a trusted root)
  • The root certificate (should be in your trust store)

Comparing With and Without Proxy

# Without proxy
echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -subject -issuer

# With proxy
echo | openssl s_client -connect target.com:443 -proxy proxy:8080 2>/dev/null | openssl x509 -noout -subject -issuer

If the issuer differs, your proxy is performing SSL inspection. The non-proxy result shows the real certificate issuer, while the proxy result shows the proxy’s CA.

Security Considerations

Disabling TLS verification (-k, verify=False, NODE_TLS_REJECT_UNAUTHORIZED=0) eliminates all certificate validation. This should only be used for debugging, never in production, because it exposes you to man-in-the-middle attacks.

When using mobile proxies or any proxy service, the proxy provider can see your unencrypted HTTP traffic but should not be able to see HTTPS content unless they perform SSL inspection. If you encounter certificate errors with a standard proxy service that should not be inspecting traffic, investigate further, as it could indicate a compromised connection.

For definitions of TLS, SSL, MITM, and related terms, refer to the proxy glossary.

Preventing SSL/TLS Errors

  • Keep your system’s CA certificate store updated to trust all legitimate certificate authorities
  • Use TLS 1.2 or 1.3 and disable older versions
  • Monitor certificate expirations for any self-managed proxy infrastructure
  • Document which proxy endpoints require custom CA certificates and include the CA installation in your setup procedures
  • Test TLS connections as part of your proxy testing checklist to catch issues before they affect production

Conclusion

SSL/TLS errors with proxies stem from certificate trust issues, protocol mismatches, or SSL inspection configurations. Identify whether the error occurs in the client-to-proxy or proxy-to-target TLS session, then apply the appropriate fix. For SSL inspection proxies, install the proxy CA certificate. For protocol mismatches, ensure both sides support modern TLS versions. Always avoid disabling TLS verification in production, and investigate unexpected certificate issuers that may indicate unwanted traffic interception.

Related Reading

Scroll to Top