# Error: tls: first record does not look like a TLS handshake

- **ID:** `kubernetes/ingress-ssl-certificate-mismatch`
- **Domain:** kubernetes
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 78%

## Root Cause

Ingress TLS configuration points to a secret that contains non-TLS data (e.g., plain text or wrong format) or the certificate is invalid.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| nginx-ingress-controller v1.10 | active | — | — |
| nginx-ingress-controller v1.11 | active | — | — |
| Kubernetes v1.28 | active | — | — |

## Workarounds

1. **Verify secret content: `kubectl get secret <tls-secret> -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.** (85% success)
   ```
   Verify secret content: `kubectl get secret <tls-secret> -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.
   ```
2. **Recreate secret with correct certificate and key: `kubectl create secret tls <secret-name> --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.** (90% success)
   ```
   Recreate secret with correct certificate and key: `kubectl create secret tls <secret-name> --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.
   ```
3. **Check Ingress controller logs: `kubectl logs -n ingress-nginx <controller-pod> | grep 'tls'` to see detailed error, then fix cert chain or secret name.** (80% success)
   ```
   Check Ingress controller logs: `kubectl logs -n ingress-nginx <controller-pod> | grep 'tls'` to see detailed error, then fix cert chain or secret name.
   ```

## Dead Ends

- **Restart nginx-ingress-controller pod** — Restarting does not fix incorrect secret data; the same invalid cert will be loaded again. (90% fail)
- **Change TLS port from 443 to 8443 in Ingress spec** — Port change does not fix the underlying certificate format issue. (95% fail)
- **Delete and recreate the Ingress resource** — Recreating Ingress uses same secret reference; problem persists. (85% fail)