Loading

Issue with SSL cert client verification and Client cert not represent - 400 ssl error

Publish Date: Nov 14, 2025
Description

The customer encountered an SSL error when the customer attempted to trigger the C1st endpoint after renewing a client certificate in the production load balancers. The Mule system did not receive any logs for the request, and the issue was identified as being caused by the client sending an old certificate and a mismatch in the new certificate chain. 400 SSL error logs were found on DLB 

 

[06/Nov/2025:08:22:49 +0000] "POST /api/v1/leads HTTP/1.1" 400 180 "-" "-" "-" rt=0.002 uct="-" uht="-" urt="-" ua="-" us="-" proto="TLSv1.2" cipher="ECDHE-RSA-AES256-GCM-SHA384"

Resolution
1. Verify the client certificate being used. Ensure that the client is not sending an old certificate and that the new certificate chain includes the correct client certificate. 2. Use diagnostic commands to verify the certificates. Run the following commands to extract and verify the client certificate and certificate chain: 'openssl pkcs12 -in client.pfx -nokeys -out client-cert.pem', 'openssl pkcs12 -in client.pfx -cacerts -nokeys -out ca-chain.pem', and 'openssl verify -CAfile ca-chain.pem client-cert.pem'. 3. Ensure that the root and intermediate certificates are trusted on the server side. This will allow the client certificate to complete the trust chain and enable the SSL handshake. 4. Refer to MuleSoft documentation for updating and validating certificates. Use the following links for guidance: https://docs.mulesoft.com/cloudhub/lb-cert-upload, https://help.salesforce.com/s/articleView?id=001114888&type=1, https://help.salesforce.com/s/articleView?id=001114868&type=1, and https://docs.mulesoft.com/cloudhub/lb-cert-validation.
Knowledge Article Number

005228637

 
Loading
Salesforce Help | Article