# tls：第一条记录看起来不像 TLS 握手

- **ID:** `go/tls-handshake-error-certificate-signed-by-unknown-authority`
- **领域:** go
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 88%

## 根因

服务器在预期端口上未使用 TLS 通信，通常是因为它使用纯 HTTP 或其他协议，或者客户端连接到了错误的端口。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| go1.20 | active | — | — |
| go1.21 | active | — | — |
| go1.22 | active | — | — |
| go1.23 | active | — | — |

## 解决方案

1. ```
   Verify the server's protocol: use curl -v http://host:port to check if it's plain HTTP, then switch to http:// instead of https://
   ```
2. ```
   If the server uses a non-standard TLS port, configure the correct port in the URL
   ```

## 无效尝试

- **Adding InsecureSkipVerify: true to the TLS config** — This only skips certificate verification, not the protocol mismatch; the server still doesn't speak TLS. (95% 失败率)
- **Setting a custom RootCAs pool** — Certificate authority configuration doesn't fix the fundamental protocol issue. (90% 失败率)
- **Using a different TLS version like TLS 1.3** — The error is about the initial handshake record, not the version negotiation. (85% 失败率)