diff --git a/modules/mbedtls/crypto_mbedtls.cpp b/modules/mbedtls/crypto_mbedtls.cpp
index 9c8eb40ca49..1e02084ae2b 100644
--- a/modules/mbedtls/crypto_mbedtls.cpp
+++ b/modules/mbedtls/crypto_mbedtls.cpp
@@ -69,7 +69,7 @@ Error CryptoKeyMbedTLS::load(String p_path) {
 	int ret = mbedtls_pk_parse_key(&pkey, out.read().ptr(), out.size(), NULL, 0);
 	// We MUST zeroize the memory for safety!
 	mbedtls_platform_zeroize(out.write().ptr(), out.size());
-	ERR_FAIL_COND_V_MSG(ret, FAILED, "Error parsing some certificates: " + itos(ret));
+	ERR_FAIL_COND_V_MSG(ret, FAILED, "Error parsing private key: " + itos(ret));
 
 	return OK;
 }
diff --git a/modules/mbedtls/ssl_context_mbedtls.cpp b/modules/mbedtls/ssl_context_mbedtls.cpp
index 014a201f9c0..97b5e23f58a 100644
--- a/modules/mbedtls/ssl_context_mbedtls.cpp
+++ b/modules/mbedtls/ssl_context_mbedtls.cpp
@@ -94,9 +94,12 @@ Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<Crypto
 }
 
 Error SSLContextMbedTLS::init_client(int p_transport, int p_authmode, Ref<X509CertificateMbedTLS> p_valid_cas) {
+	Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, p_authmode);
+	ERR_FAIL_COND_V(err != OK, err);
+
 	X509CertificateMbedTLS *cas = NULL;
 
-	if (certs.is_valid()) {
+	if (p_valid_cas.is_valid()) {
 		// Locking CA certificates
 		certs = p_valid_cas;
 		certs->lock();
@@ -104,12 +107,12 @@ Error SSLContextMbedTLS::init_client(int p_transport, int p_authmode, Ref<X509Ce
 	} else {
 		// Fall back to default certificates (no need to lock those).
 		cas = CryptoMbedTLS::get_default_certificates();
-		ERR_FAIL_COND_V(cas == NULL, ERR_UNCONFIGURED);
+		if (cas == NULL) {
+			clear();
+			ERR_FAIL_V_MSG(ERR_UNCONFIGURED, "SSL module failed to initialize!");
+		}
 	}
 
-	Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, p_authmode);
-	ERR_FAIL_COND_V(err != OK, err);
-
 	// Set valid CAs
 	mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), NULL);
 	mbedtls_ssl_setup(&ssl, &conf);