Load test wrong base URL / SSL handshake to target in CI
A load test that connects but fails on every request is usually pointed at the wrong base URL, or is speaking HTTPS to a target whose certificate the runner does not trust. Both surface as 100% failures without a connection-refused error.
What this error means
Requests fail with 404s to unexpected paths, redirects to the wrong host, or TLS errors like "x509: certificate signed by unknown authority" / "PKIX path building failed" against the target.
# k6
GoError: Get "https://app.internal/": x509: certificate signed by unknown authority
# JMeter
Non HTTP response code: javax.net.ssl.SSLHandshakeException: PKIX path building failedCommon causes
The base URL points at the wrong host or scheme
Using localhost when the app is a service container, or http vs https, sends every request to the wrong place.
The target uses a certificate the runner does not trust
A self-signed or internal CA cert on the target fails the TLS handshake because the runner's trust store lacks that CA.
How to fix it
Parameterize and verify the base URL
Pass the reachable base URL explicitly and confirm it with a curl before the run.
k6 run -e BASE_URL=https://app:8443 script.js
# JMeter
jmeter -n -t plan.jmx -Jprotocol=https -Jhost=app -Jport=8443Trust the target CA on the runner
- Add the internal CA to the runner trust store for JVM tools (Gatling/JMeter).
- For k6 in CI, point at the CA or use insecureSkipTLSVerify only for a self-signed test target.
- Prefer trusting the CA over disabling verification.
export const options = { insecureSkipTLSVerify: true }; // self-signed test target onlyHow to prevent it
- Pass the base URL as a parameter and verify it with curl first.
- Add the internal CA to the runner trust store for JVM load tools.
- Reserve TLS-verify bypass for known self-signed test targets only.