496 SSL Certificate Required
HTTP response status code 496 SSL Certificate Required is an unofficial client error specific to nginx. The server returns this code when the client does not present a required client certificate.
Usage
The 496 SSL Certificate Required status code indicates the client sent an HTTP request without an SSL certificate, yet the server requires one for the requested resource. This is related to 400. Resolving this error requires resubmitting the request with a valid client certificate attached.
SEO impact
Search engines like Google do not index a URL with 496 SSL Certificate Required response status. URLs previously indexed with this code are removed from search results.
Example
A client sends a request to a resource requiring mutual TLS, but provides no client certificate. The nginx server responds with 496 SSL Certificate Required.
Request
GET /secure/internal HTTP/1.1
Host: www.example.re
Response
HTTP/1.1 496
Content-Type: text/html
Content-Length: 209
<html>
<head>
<title>SSL Certificate Required</title>
</head>
<body>
<p>A client certificate is required to access
this resource. Provide a valid certificate and
retry.</p>
</body>
</html>
The nginx error log records the missing certificate:
client sent no required SSL certificate
How to fix
The server expects a client certificate for mutual TLS (mTLS) and the client sent none. The fix depends on whether the client or server configuration needs to change.
Client-side fix
Install the required client certificate in the
browser, operating system trust store, or HTTP
client library. For curl, pass the certificate
and key:
curl --cert client.pem --key client-key.pem \
https://www.example.re/secure/internal
For browser access, import the .p12 or .pfx
certificate bundle into the browser's certificate
manager. The browser presents the certificate
automatically during the TLS handshake when the
server requests one.
Server-side fix
Check the ssl_verify_client directive. Three
values control behavior:
# Reject if no cert (strict mTLS)
ssl_verify_client on;
# Accept with or without cert
ssl_verify_client optional;
# Accept without cert, skip CA verification
ssl_verify_client optional_no_ca;
Setting the value to optional allows requests
without certificates to proceed while still
verifying certificates when presented. This is
useful for endpoints serving both
authenticated and anonymous
traffic.
Verify the ssl_client_certificate directive
points to a valid CA bundle file containing all
trusted root and intermediate certificates:
ssl_client_certificate /etc/nginx/ca-chain.pem;
ssl_verify_client on;
Use error_page 496 to serve a helpful error
page or redirect to a login page
instead of the
default nginx error:
error_page 496 =301 https://$host/login;
Takeaway
The 496 SSL Certificate Required status code is a nginx client error sent when the client submits a request without the required SSL certificate.
See also
- 400
- Google: HTTP status codes and network errors
- 495
- nginx ssl_module Error Processing
- HTTP status codes