Connection

TLS handshake failed on grpc.subglow.io

The TCP socket opened but TLS negotiation failed. Usually a stale root CA bundle inside a Docker image, a missing SNI extension, or a corporate MITM proxy intercepting and presenting its own certificate.

Root causes

Ranked by frequency. First cause is the one to check first.

  1. 01Alpine-based Docker image missing `ca-certificates` package.
  2. 02Out-of-date OS root store (Ubuntu 18.04 or older).
  3. 03Corporate proxy (Zscaler, Palo Alto) intercepting TLS and presenting its own cert — common on dev laptops, never on server deploys.
  4. 04Client sending ALPN `h2` but an intermediate LB is terminating with ALPN `http/1.1` — causes TLS to succeed then gRPC to immediately fail.
  5. 05SNI not set — very rare, but some custom gRPC clients forget to send SNI and the provider serves the wrong certificate.

Fix steps

  1. 1

    Install ca-certificates in Docker

    Add `RUN apk add --no-cache ca-certificates` to Alpine-based Dockerfiles, or `RUN apt-get install -y ca-certificates && update-ca-certificates` on Debian.

  2. 2

    Test with curl first

    `curl -v https://grpc.subglow.io:443`. If curl fails TLS handshake on the same machine, fix the OS cert store. If curl succeeds but your Go/Rust binary fails, it's a language-specific root bundle issue.

  3. 3

    Disable custom TLS verification in dev only

    Never disable cert verification in production. In dev, for fast diagnosis, Rust's tonic accepts `ClientTlsConfig::new().insecure(true)` — if that works, you've confirmed it's a CA issue, not a protocol mismatch.

Related errors

Want an endpoint that just works?

Subglow is flat-priced Solana gRPC + JSON-RPC on a single API key. Pre-parsed JSON, dedicated sendTransaction bucket, 99.9% latency SLA on Dedicated. No credit juggling, no surprise bills.

Start free trialSee pricing← All errors