diff --git a/usr.sbin/relayd/ca.c b/usr.sbin/relayd/ca.c
index ae4f15cd01a..b3b6b448533 100644
--- a/usr.sbin/relayd/ca.c
+++ b/usr.sbin/relayd/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.53 2026/06/14 08:55:54 rsadowski Exp $	*/
+/*	$OpenBSD: ca.c,v 1.54 2026/06/14 08:57:43 rsadowski Exp $	*/
 
 /*
  * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
@@ -476,6 +476,8 @@ ca_engine_init(struct relayd *x_env)
 		goto fail;
 	}
 
+	ERR_clear_error();
+
 	RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc);
 	RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec);
 
@@ -489,6 +491,6 @@ ca_engine_init(struct relayd *x_env)
 	return;
 
  fail:
-	RSA_meth_free(rsae_method);
+	ssl_error(errstr);
 	fatalx("%s: %s", __func__, errstr);
 }
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index cd9f6bd8031..5fb50ffd624 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.h,v 1.285 2026/06/14 08:54:21 rsadowski Exp $	*/
+/*	$OpenBSD: relayd.h,v 1.286 2026/06/14 08:57:43 rsadowski Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -1286,6 +1286,7 @@ void	 script_done(struct relayd *, struct ctl_script *);
 int	 script_exec(struct relayd *, struct ctl_script *);
 
 /* ssl.c */
+void	 ssl_error(const char *);
 char	*ssl_load_key(struct relayd *, const char *, off_t *, char *);
 uint8_t *ssl_update_certificate(const uint8_t *, size_t, EVP_PKEY *,
 	    EVP_PKEY *, X509 *, size_t *);
diff --git a/usr.sbin/relayd/ssl.c b/usr.sbin/relayd/ssl.c
index b6ab383e6a5..4913949b9cc 100644
--- a/usr.sbin/relayd/ssl.c
+++ b/usr.sbin/relayd/ssl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.40 2026/05/21 14:56:34 tb Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.41 2026/06/14 08:57:43 rsadowski Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -63,6 +63,8 @@ ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass)
 	if ((fp = fopen(name, "r")) == NULL)
 		return (NULL);
 
+	ERR_clear_error();
+
 	key = PEM_read_PrivateKey(fp, NULL, ssl_password_cb, pass);
 	fclose(fp);
 	if (key == NULL)
@@ -88,6 +90,7 @@ ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass)
 	return (buf);
 
  fail:
+	ssl_error("ssl_load_key");
 	free(buf);
 	if (bio != NULL)
 		BIO_free_all(bio);
@@ -237,3 +240,15 @@ ssl_load_pkey(char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
 
 	return (0);
 }
+
+void
+ssl_error(const char *where)
+{
+	unsigned long	code;
+	char		errbuf[128];
+
+	for (; (code = ERR_get_error()) != 0 ;) {
+		ERR_error_string_n(code, errbuf, sizeof(errbuf));
+		log_warnx("SSL library error: %s: %s", where, errbuf);
+	}
+}