# tls: first record does not look like a TLS handshake

- **ID:** `go/tls-handshake-error-certificate-signed-by-unknown-authority`
- **Domain:** go
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

The server is not speaking TLS on the expected port, often because it's using plain HTTP or a different protocol, or the client is connecting to the wrong port.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| go1.20 | active | — | — |
| go1.21 | active | — | — |
| go1.22 | active | — | — |
| go1.23 | active | — | — |

## Workarounds

1. **Verify the server's protocol: use curl -v http://host:port to check if it's plain HTTP, then switch to http:// instead of https://** (95% success)
   ```
   Verify the server's protocol: use curl -v http://host:port to check if it's plain HTTP, then switch to http:// instead of https://
   ```
2. **If the server uses a non-standard TLS port, configure the correct port in the URL** (85% success)
   ```
   If the server uses a non-standard TLS port, configure the correct port in the URL
   ```

## Dead Ends

- **Adding InsecureSkipVerify: true to the TLS config** — This only skips certificate verification, not the protocol mismatch; the server still doesn't speak TLS. (95% fail)
- **Setting a custom RootCAs pool** — Certificate authority configuration doesn't fix the fundamental protocol issue. (90% fail)
- **Using a different TLS version like TLS 1.3** — The error is about the initial handshake record, not the version negotiation. (85% fail)