The certificate_unknown alert (TLS alert code 46) is a catch-all alert sent when a certificate is unacceptable for reasons that do not fit any other specific certificate alert code. It can indicate that the certificate failed a custom validation policy, that the TLS implementation encountered an unexpected condition during certificate processing, or that the peer has implementation-specific restrictions that the certificate violates. Because this is a generic alert, troubleshooting requires examining the full certificate chain and comparing it against the peer's expected requirements.
The peer has additional validation rules beyond standard X.509 checks — for example, requiring specific key usage flags, certificate transparency (CT) logs, or organizational constraints. The certificate is structurally valid but does not meet these custom requirements.
Some TLS implementations send certificate_unknown when the certificate chain is incomplete or the certificates are in the wrong order (leaf should come first, followed by intermediates). While standards-compliant implementations handle reordering, some do not.
The peer's TLS library hit an unexpected error during certificate processing and sent certificate_unknown as a fallback. This can happen with bugs in the TLS stack, memory issues, or corrupt trust stores.
Retrieve and examine the entire certificate chain the server presents. Verify the chain is complete, in the correct order, and each certificate's signature is valid.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts 2>/dev/null
Check the certificate's extensions, particularly Key Usage, Extended Key Usage, and Basic Constraints. Some peers require specific extension values.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -A2 'Key Usage\|Basic Constraints'
Attempt the connection from different TLS clients (curl, wget, different browsers) to determine if the error is specific to one implementation or universal.
curl -vI https://yourdomain.com/ 2>&1 | grep -i 'ssl\|cert\|error'
Verify the certificate appears in public CT logs. Some peers enforce CT requirements and reject certificates that lack CT signatures (SCTs).
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -A5 'CT Precertificate SCTs'
A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.
The certificate type is not supported by the TLS implementation or does not meet the required criteria.
The certificate chain could not be validated because the root CA is not in the peer's trust store.
The TLS peer determined that the presented certificate has been revoked by its issuing Certificate Authority.