HTTP 400 Bad Request (SSL certificate error) Response to inbound API Calls to the Instance When Using mTLS (HTTPS Mutual Authentication)DescriptionCustomers who use an API client program or script that tries to use mTLS (HTTPS Mutual Authentication) when initiating a connection to the instance might see their connection rejected with a HTTP 400 response and this error: <html><head><title>400 The SSL certificate error</title></head><body><center><h1>400 Bad Request</h1></center><center>The SSL certificate error</center><hr><center>snow_adc</center></body></html>Release or EnvironmentAll ServiceNow instances (no matter which release) that are on the new ADCv2 load balancers Inbound mTLS (HTTPS Mutual Auth) is however only supported on instances that are on Quebec and newerCauseIn the Quebec release ServiceNow introduced a new feature that allows mTLS (HTTPS Mutual Auth) to be used for inbound connections with ServiceNow instances: https://docs.servicenow.com/bundle/quebec-platform-administration/page/integrate/authentication/concept/certificate-based-authentication.html https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/mid-server/task/install-mid-mutual-auth.html To make this new feature work a change had to be made to the ServiceNow ADCv2 load balancer devices. This change enabled features on the ADCv2's that check the validity of any incoming certificates used as part of any mTLS connection attempt. This change was rolled out during April 2021.Because, in versions previous to Quebec, ServiceNow didn't support inbound mTLS at all there was never a reason for the ADCv2's (or previous F5 devices) to do these certificate checks. This is likely why client programs or scripts that attempt mTLS worked before April 2021. Now certificate checks on any inbound mTLS connection attempt are necessary to enable the new MID server feature. However ServiceNow still does not support mTLS inbound to the instance using self-signed/internal CA's. This is likely the cause of the HTTP 400 rejections - for mTLS your client application uses certs from an internal CA which cannot be verified, and so the ADCv2 is rejecting the connection attempts. ResolutionThe best solution depends on the ServiceNow instance version: - Paris and older: customers should configure their client applications/scripts to not attempt mTLS when connecting to ServiceNow instances, since mTLS (HTTPS Mutual Auth) is not supported - Quebec and newer: if mTLS is needed then customers should configure it according to documentation: https://docs.servicenow.com/bundle/quebec-platform-administration/page/integrate/authentication/concept/certificate-based-authentication.html. Currently (April 2021) for inbound mTLS to work the client certificate must be signed by a known CA (one of the CA's most browsers and OSes trust), currently self-signed/internal corporate CA's won't work with the ADCv2.Additional InformationAn internal Problem PRB1491771 has been opened for this