diff --git a/rowbot b/rowbot
index a770582..75e8fc9 100755
--- a/rowbot
+++ b/rowbot
@@ -607,11 +607,9 @@ on_sys_first_015_net() {
   local server=$(NS=net state_get server) port=$(NS=net state_get port)
   log_info "rowbot is connecting to %s" "$(url)"
 
-  if ! NS=net QUIET="" state_get tls; then
-    exec {irc_sock}<>/dev/tcp/"$server"/"$port"
-    NS=net state_put in-sock "$irc_sock"
-    NS=net state_put out-sock "$irc_sock"
-  else
+  if NS=net QUIET="" state_get tls; then
+    log_debug "requesting tls connection"
+
     if ! has socat; then
       die "please install socat to use tls with rowbot."
     fi
@@ -627,13 +625,18 @@ on_sys_first_015_net() {
       # The only possible fail conditions are already checked for.
       # shellcheck disable=SC2155
       local client_cert=$(NS=net state_get client-cert)
+      log_debug "using a client certificate with the tls connection"
 
       if [[ ! -f $client_cert ]]; then
         die "client certificate not found: %s" "$client_cert"
+      elif [[ ! -r $client_cert ]]; then
+        die "client certificate is not readable"
       fi
 
+      log_debug "client certificate file was found"
       conn_args=OPENSSL:$server:$port,cert=$client_cert
     else
+      log_debug "not using a client certificate for tls"
       conn_args=OPENSSL:$server:$port
     fi
 
@@ -645,30 +648,41 @@ on_sys_first_015_net() {
     NS=net state_put out-sock "$out_sock"
     NS=net state_put in-sock "$in_sock"
     log_debug "process %d is handling tls" "$tls_pid"
+  else
+    log_debug "requesting plaintext connection"
+    exec {irc_sock}<>/dev/tcp/"$server"/"$port"
+    NS=net state_put in-sock "$irc_sock"
+    NS=net state_put out-sock "$irc_sock"
   fi
+
+  log_debug "connection established"
 }
 
 on_sys_exit_998_net() {
   log_info "rowbot is closing the connection to %s" "$(url)"
 
-  if ! NS=net state_has tls; then
-    # The only possible fail conditions are already checked for.
-    # shellcheck disable=SC2155
-    local irc_sock=$(NS=net state_get in-sock)
-    exec {irc_sock}>&-
-  else
+  # The only possible fail conditions are already checked for.
+  # shellcheck disable=SC2155
+  if NS=net state_has tls; then
     if NS=net state_has tls-pid; then
-      # The only possible fail conditions are already checked for.
-      # shellcheck disable=SC2155
       local tls_pid=$(NS=net state_get tls-pid)
 
       if is_running "$tls_pid"; then
+        log_debug "stopping the tls process"
         kill -STOP "$tls_pid"
+      else
+        log_debug "tls process is not running"
       fi
     fi
 
+    log_debug "removing the socket directory"
     rm -rf -- "$(NS=net state_get sock-dir)"
+  else
+    local irc_sock=$(NS=net state_get in-sock)
+    exec {irc_sock}>&-
   fi
+
+  log_debug "connection closed"
 }
 
 ###