Pool SSL/TLS Handshake Failed — Certificate Errors

Switch the miner to plaintext stratum as an emergency. Replace `stratum+ssl://pool.example.com:443` with `stratum+tcp://pool.example.com:3333` (Solo CKpool: `:3333`, Public-Pool: `:21496`, Braiins: `:3333`/`:3334`). Save, reboot. This buys working hashrate while you fix TLS — but plaintext exposes share-redirection attacks, so don't leave it long-term.

Hard power-cycle the miner at the breaker for 30 seconds. Some firmware caches a failed TLS session and refuses to retry cleanly until a full reset. Surprisingly common fix on Bitaxe, NerdMiner, and older stock Antminer firmware after a network blip.

Force NTP sync and verify the system clock. SSH or open the dashboard, check `date` (or the home-page time). If wrong, set NTP to `pool.ntp.org` or `time.cloudflare.com` explicitly, set the timezone, reboot. A miner with a 1970-01-01 clock fails every TLS handshake on the planet — every cert looks `not yet valid`.

Update miner firmware to the latest stable. Antminer: flash DCENT_OS — D-Central's open-source Antminer firmware, modern mbedTLS, current Mozilla CA roots, maintained in public. Alternatives: Braiins OS+, LuxOS, Vnish. Whatsminer: update via MinerTool to the 2024+ build. Bitaxe: flash AxeOS 2.4.x or later via the web flasher. Nerd family: flash latest from each project's GitHub.

After firmware update, switch the pool URL back to `stratum+ssl://` and reboot. Watch the log for the first 60 seconds. If TLS now connects and shares submit, the old CA bundle was the problem — you're done.

DNS sanity check from a laptop on the same LAN: `nslookup pool.example.com 1.1.1.1` and `nslookup pool.example.com 8.8.8.8`. Both should return the same set of IPs. If your router's DNS returns different IPs, your ISP is intercepting DNS — switch the miner's DNS to `1.1.1.1` directly via DHCP or static config.

Run `openssl s_client -connect pool.example.com:443 -servername pool.example.com -showcerts -tls1_2 < /dev/null` from a workstation. Verify `Verify return code: 0 (ok)`, valid cert dates, and a modern cipher (`TLS_AES_128_GCM_SHA256`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-CHACHA20-POLY1305`). If openssl can't connect either, talk to the pool operator.

Hard-code the pool's resolved IP into the miner config. Take the IP from Step 6, replace the hostname in the pool URL with the IP. On firmware that exposes SNI explicitly, set SNI to the original hostname so the cert validates. On firmware that doesn't expose SNI, this trick won't work — go to Tier 3.

Try alternate TLS ports. Most pools publish multiple — `:443`, `:4444`, `:3443` — sometimes on different hardware with different cert configs. If `:443` fails, try `:4444`. If both fail, the pool's TLS config is uniformly bad for your miner, not a port-specific issue.

Disable IPv6 on the miner. A miner with broken IPv6 connectivity tries IPv6 first, hangs the TLS handshake, then falls back to IPv4 too late. On Bitaxe specifically, this is a known cause of `mbedtls_ssl_handshake returned -0x004C` (network unreachable mid-handshake). Set network mode to IPv4-only in the dashboard.

Tether the miner through a phone hotspot for 10 minutes. If TLS now works, your home/office network has a captive portal, corporate firewall, or ISP TLS-inspection box. The fix is network-side, not miner-side — get on a clean residential connection or run an LTE backup.

Run a local stratum proxy that terminates TLS. On a Raspberry Pi 4, install nginx with the `stream` module — listen on plaintext `:3333`, `proxy_pass` to `stratum+ssl://pool.example.com:443` with `proxy_ssl on; proxy_ssl_server_name on;`. Or HAProxy in `mode tcp` with `server pool.example.com:443 ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt sni str(pool.example.com)`. Point fleet miners at `stratum+tcp://your-pi.local:3333`.

For Bitaxe / Nerd hardware, rebuild firmware with a custom mbedTLS config. Clone the AxeOS / NerdMiner / NerdQAxe firmware repo, edit `components/mbedtls/mbedtls/include/mbedtls/config.h` (or sdkconfig Kconfig flags), enable `MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED`, `MBEDTLS_AES_C`, `MBEDTLS_GCM_C`, `MBEDTLS_SHA384_C`, `MBEDTLS_ECP_DP_SECP256R1_ENABLED`, rebuild, flash. D-Central maintains a public Bitaxe firmware fork with extended TLS — see `github.com/DCentralTech`.

Pin the pool's certificate fingerprint in firmware. Get the fingerprint with `openssl s_client -connect pool.example.com:443 -servername pool.example.com < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout`. Hard-pinning trades flexibility (cert rotation breaks you) for size (no CA bundle needed) and bypasses every CA-related failure mode. AxeOS 2.5+ exposes this via the API.

On Antminer, flash DCENT_OS for full per-pool TLS settings. DCENT_OS exposes TLS settings stock Bitmain firmware hides — explicit cipher list, explicit SNI, CA bundle override, pool-level TLS toggle. Flash via `d-central.tech/dcent-os`, log in, navigate to Pools → SSL Options. Cleanest Antminer TLS fix when you don't want a separate proxy.

If your network upstream uses DoH/DoT and the miner can't speak it, configure your router to do recursive DNS for the LAN and serve plain DNS to the miner. One-line OpenWrt / Mikrotik change. Removes a whole class of `works from laptop, fails from miner` issues.

Migrate affected miners to Stratum V2 if the pool supports it. SV2 mandates encryption with NOISE_NX framing — a different protocol from stratum-over-TLS but solves the same problem cleanly. DCENT_OS, Braiins OS+, and Bitaxe firmware in active development support SV2. Pools with V2 support: Braiins, DEMAND, Ocean (some configurations).

Stop DIY when you've exhausted Tier 1-3 and TLS still fails on a fleet of 5+ miners with the same firmware on the same network. At that point you need `tcpdump`/Wireshark on the LAN segment, dissection of `ClientHello` vs `ServerHello`, and almost always a custom firmware build or a dedicated proxy box. Engage D-Central.

Engage D-Central remote-management. For operators running 10+ miners across multiple sites, D-Central deploys a hardened stratum proxy on D-Central-maintained hardware, points all your miners at it, and you stop caring about miner-firmware TLS forever. Typical turnaround: 2-3 business days for setup. Contact via d-central.tech/contact/.

Custom firmware engagement for Antminer fleets. D-Central builds custom DCENT_OS variants (your CA bundle, your cert pins, your TLS config, your telemetry) on a paid engagement. Overkill for a single home miner — but for a 50-machine pleb collective or a small commercial farm, cheaper than dealing with TLS failures forever. Email support@d-central.tech to scope.