Troubleshooting
If your query returns an error even after configuring and embedding a client SSL certificate, check the following settings.
Check SSL/TLS handshake
Section titled “Check SSL/TLS handshake”On your terminal, use the following command to check whether an SSL/TLS connection can be established successfully between the client and the API endpoint.
curl --verbose --cert /path/to/certificate.pem --key /path/to/key.pem https://your-api-endpoint.comIf the SSL/TLS handshake cannot be completed, check whether the certificate and the private key are correct.
Check mTLS hosts
Section titled “Check mTLS hosts”Check whether mTLS has been enabled for the correct host. The host should match the API endpoint that you want to protect.
Review mTLS rules
Section titled “Review mTLS rules”To review mTLS rules:
-
Select Security > WAF > Custom rules.
-
On a specific rule, select Edit.
-
On that rule, check whether:
-
The Expression Preview is correct.
-
The hostname, if defined, matches your API endpoint. For example, for the API endpoint
api.trackers.ninja/time, the rule should look like:(http.host in {"api.trackers.ninja"} and not cf.tls_client_auth.cert_verified)
-
-
To edit the rule, either use the user interface or select Edit expression.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark