mTLS Client Certificate Error — Fix (2026)

Q: Prevention

Add this to your CLAUDE.md: # mTLS Configuration - Client cert and key paths must be configured for corporate mTLS proxies. - Store cert files outside the repo. Reference by absolute path. - Verify cert/key pair match before configuring: openssl x509 -modulus vs openssl rsa -modulus.

Last updated: April 20, 2026

The Error

Error: SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
  code: 'ERR_SSL_TLSV13_ALERT_CERTIFICATE_REQUIRED'
  The server requires a client certificate for mutual TLS authentication.

This error occurs when the API server or a network device requires mutual TLS (mTLS) authentication — the client must present a certificate, not just validate the server’s.

The Fix

Configure Node.js with your client certificate:

export NODE_EXTRA_CA_CERTS=/path/to/ca.pem
export NODE_TLS_CLIENT_CERT=/path/to/client.pem
export NODE_TLS_CLIENT_KEY=/path/to/client-key.pem

If using the Python SDK with mTLS:

import httpx
import anthropic
http_client = httpx.Client(
    cert=("/path/to/client.pem", "/path/to/client-key.pem"),
    verify="/path/to/ca.pem"
)
client = anthropic.Anthropic(http_client=http_client)

For the Node.js SDK:

const https = require('https');
const fs = require('fs');
const agent = new https.Agent({
  cert: fs.readFileSync('/path/to/client.pem'),
  key: fs.readFileSync('/path/to/client-key.pem'),
  ca: fs.readFileSync('/path/to/ca.pem')
});

Verify the mTLS connection:

curl --cert /path/to/client.pem --key /path/to/client-key.pem \
  https://api.anthropic.com/v1/messages -v 2>&1 | grep "SSL"

Why This Happens

Mutual TLS requires both the server and client to present certificates during the TLS handshake. Some corporate environments enforce mTLS as a zero-trust security measure. The Anthropic API itself does not require mTLS, but a corporate API gateway or proxy in front of it may. Without the client certificate, the server rejects the connection during the handshake.

If That Doesn’t Work

Check if the client cert is in the correct format:

openssl x509 -in /path/to/client.pem -noout -text | head -15

Verify the key matches the cert:

openssl x509 -noout -modulus -in client.pem | md5
openssl rsa -noout -modulus -in client-key.pem | md5
# Both should output the same hash

If the cert is in PKCS12 format, convert it:

openssl pkcs12 -in client.p12 -out client.pem -clcerts -nokeys
openssl pkcs12 -in client.p12 -out client-key.pem -nocerts -nodes

Prevention

Add this to your CLAUDE.md:

# mTLS Configuration
- Client cert and key paths must be configured for corporate mTLS proxies.
- Store cert files outside the repo. Reference by absolute path.
- Verify cert/key pair match before configuring: openssl x509 -modulus vs openssl rsa -modulus.

This fix also applies if you see variations of this error:

Connection or process errors with similar root causes in the same subsystem
Timeout variants where the operation starts but does not complete
Permission variants where access is denied to the same resource
Configuration variants where the same setting is missing or malformed

If your specific error message differs slightly from the one shown above, the fix is likely the same. The key indicator is the operation that failed (shown in the stack trace) rather than the exact wording of the message.

Frequently Asked Questions

Does this error affect all operating systems?

This error can occur on macOS, Linux, and Windows (WSL). The exact error message may differ slightly between platforms, but the root cause and fix are the same. macOS users may see additional Gatekeeper or notarization prompts. Linux users should check that the relevant system packages are installed. Windows users should ensure they are running inside WSL2, not native Windows.

Will this error come back after updating Claude Code?

Updates can occasionally reintroduce this error if the update changes default configurations or dependency requirements. After updating Claude Code, verify your project still builds and runs correctly. If the error returns, reapply the fix and check the changelog for breaking changes.

Can this error cause data loss?

No, this error occurs before or during an operation and does not corrupt existing files. Claude Code’s edit operations are atomic — they either complete fully or not at all. However, if the error occurs during a multi-step operation, you may have partial changes that need to be reviewed with git diff before continuing.

How do I report this error to Anthropic if the fix does not work?

Open an issue at github.com/anthropics/claude-code with: (1) the full error message including stack trace, (2) your Node.js version (node --version), (3) your Claude Code version (claude --version), (4) your operating system and version, and (5) the command or operation that triggered the error.

Try it: Paste your error into our Error Diagnostic for an instant fix.