TLS certificate errors — debugging SSL handshake failures

HTTPS connections fail with certificate errors: expired, self-signed, hostname mismatch, or incomplete chain. Works in browser but fails in code. Works on one machine but not another.

(1) Check certificate: openssl s_client -connect host:443 -servername host shows the full chain and any errors. (2) Expired: renew the certificate. Automate with certbot/Let's Encrypt. (3) Hostname mismatch: CN or SAN must match the requested hostname exactly (or use wildcard *.example.com). (4) Incomplete chain: server must send the full chain (leaf + intermediate). Missing intermediate cert is the most common cause of 'works in browser, fails in code' — browsers cache intermediates, code doesn't. (5) Self-signed in dev: add CA cert to trust store, or set NODE_TLS_REJECT_UNAUTHORIZED=0 (dev only!). (6) Certificate transparency: check crt.sh for your domain's certificates. (7) Python requests: install certifi package for up-to-date CA bundle.

TLS verification checks three things: the certificate is valid (not expired), the hostname matches, and the chain leads to a trusted CA. Code libraries are strict about all three; browsers are more lenient with chain completion.