TLS Troubleshooting
Solutions to common TLS issues when configuring Bindplane collector receivers.
Quick Diagnosis
Use this table to quickly identify your issue and jump to the solution:
Clients connect without certs (mTLS)
Using ca_file instead of client_ca_file
Common Issues and Solutions
Issue: Certificate and Key Do Not Match / Private Key Does Not Match Public Key
Error Messages:
"Certificate and key do not match"
"Private key does not match public key"
"TLS handshake error"
Cause:
The certificate and private key files don't correspond to the same keypair. This commonly happens when:
Using a certificate and key from different generation attempts
Accidentally swapping certificate/key file paths in the configuration
Using the wrong key file (e.g.,
newcert2025.keywitholdcert2024.crt)Using an intermediate/root CA certificate instead of the server certificate
Solution:
Step 1: Verify the files match
Method 1 - Compare public keys (recommended):
Method 2 - Compare modulus hashes:
Step 2: If they don't match
Check file naming - look for matching file names (e.g., if you have
bindplane-collector.crt, look forbindplane-collector.key)Verify you're using the leaf/server certificate, not an intermediate or root CA certificate
If no matching key exists, you'll need to either:
Locate the correct private key that was used to generate the CSR for this certificate
Generate a new private key and request a new certificate from your CA
For detailed verification steps, see Testing and Verification: Verify Certificate and Key Match.
Issue: Clients Report "Unknown CA" or Certificate Verification Errors
Error Messages (from clients):
"Unknown CA"
"Certificate verification failed"
"Unable to get issuer certificate"
"SSL certificate problem: unable to get local issuer certificate"
Cause:
The collector is not sending the complete certificate chain. Clients need the full chain from your server certificate up to a trusted root CA.
Solution:
Step 1: Obtain intermediate certificates
Get the intermediate certificate(s) from your Certificate Authority (CA).
Step 2: Create a fullchain certificate file
The certificate file must contain certificates in this order:
Server/leaf certificate (first)
Intermediate CA certificate(s)
Root CA (optional, clients usually have this)
The resulting file should look like:
Step 3: Update collector configuration
Step 4: Restart the collector
Certificate Order Matters
The order must be: leaf certificate first, then intermediate(s), optionally root CA last. Reverse order will cause verification failures.
For more details, see Certificate Requirements: Certificate Chain.
Issue: Collector Fails to Start with "Failed to Load TLS Cert and Key" or Similar Error
Error Messages:
"Failed to load TLS cert and key"
"TLS configuration error"
"Could not load certificate"
"Invalid key file"
Common Causes:
Private key file is encrypted (password-protected)
Certificate or key is in DER format instead of PEM
Certificate or key file is corrupted or malformed
Wrong file paths in configuration
File permission issues
Solution:
Step 1: Verify PEM format
Check if files are PEM format (should show BEGIN headers):
Step 2: Check if key is encrypted
Step 3: Decrypt if encrypted
Bindplane collectors do NOT support encrypted keys:
Step 4: Convert from DER to PEM if needed
Step 5: Verify file permissions
For detailed format requirements, see Certificate Requirements.
Issue: TLS Handshake Timeout or Connection Hangs
Symptoms:
Connection attempts hang or timeout
"TLS handshake timeout" errors
Connections drop during handshake
Cause:
Client and server TLS versions or cipher suites are incompatible.
Solution:
Step 1: Verify minimum TLS version compatibility
Check your collector configuration:
Older clients may only support TLS 1.0 or 1.1 (deprecated). Consider:
Upgrading clients to support TLS 1.2 or higher (recommended)
Temporarily lowering
min_versionfor compatibility (not recommended for production)
Step 2: Test with OpenSSL
Test which TLS versions work:
Step 3: Review cipher suite compatibility
If you've configured specific cipher suites, they may be incompatible with clients:
Recommendation
Use the default cipher suite list (don't specify cipher_suites) unless you have specific security requirements. The defaults are secure and broadly compatible.
Issue: Certificate Expired
Error Messages:
"Certificate has expired"
"Certificate is not yet valid"
"Certificate expired" (from clients)
Cause:
The server certificate has passed its expiration date or is not yet valid.
Solution:
Step 1: Check certificate expiration
Step 2: Obtain a renewed certificate
Contact your CA or certificate provider to renew your certificate.
Step 3: Update the certificate file
Replace the old certificate with the new one, ensuring you maintain the full certificate chain if applicable.
Step 4: Reload or restart the collector
If using reload_interval, the certificate will be automatically reloaded. Otherwise, restart the collector:
Best Practice
Use reload_interval to automatically reload certificates without restarting the collector. This enables seamless certificate rotation.
Issue: Trust Store Updates Don't Help Clients
Misconception: "I updated the collector's system trust store but clients still can't verify the certificate."
Explanation:
The collector's trust store only affects outbound connections the collector makes (e.g., to exporters). It does NOT affect:
What certificate the collector presents to clients
Whether clients can verify the collector's certificate
Solution:
To help clients verify the collector's certificate, you must update the cert_file with the proper certificate chain instead:
See Unknown CA above for details.
Mutual TLS (mTLS) Specific Issues
mTLS Issue: Client Certificate Required Errors
Error Messages (from clients):
"Certificate required"
"Handshake failure"
"TLS alert: certificate required"
Cause:
Client is not presenting a valid certificate when client_ca_file is configured on the collector.
Solution:
Step 1: Verify client is presenting a certificate
Test with OpenSSL:
Step 2: Ensure client certificate is signed by the trusted CA
Step 3: Check certificate expiration
For more mTLS troubleshooting, see Mutual TLS Guide: Troubleshooting.
mTLS Issue: Client Certificate Verification Fails
Error Messages (from clients):
"Bad certificate"
"Unknown ca"
"Certificate verification failed"
Cause:
The client CA file on the collector doesn't match the CA that signed the client certificate.
Solution:
Step 1: Verify the CA file contains the correct CA
Check that client_ca_file contains the CA that signed the client certificate:
Step 2: Verify the certificate chain
Step 3: If using intermediate CAs, include the full chain
The client_ca_file should contain the full CA chain if intermediates are involved:
mTLS Issue: Connections Accepted Without Client Certificates
Symptoms:
Clients without certificates can still connect
mTLS is not being enforced
No authentication is required
Cause:
Using ca_file instead of client_ca_file.
Solution:
Verify your configuration uses client_ca_file:
Important Difference
ca_fileprovides optional client verification - clients can connect with or without certificatesclient_ca_fileenforces mTLS - all clients must present valid certificates
For more details, see Mutual TLS Guide: Configuration Options.
Verification Commands Reference
Check Certificate/Key Match
Verify Certificate Chain
Test TLS Connection
Inspect Certificate Details
For more verification commands, see Testing and Verification.
When to Seek Further Help
If you've tried the solutions above and still have issues, gather this information before contacting support:
Collector Information:
Bindplane collector version
Operating system and version
Collector configuration (TLS section, with sensitive paths redacted)
Certificate Information:
Error Information:
Exact error messages from collector logs
Exact error messages from clients
When the issue started occurring
Any recent changes to certificates or configuration
Test Results:
Last updated
Was this helpful?