The openid-client package we use to perform OIDC protocol interactions mostly forwards HTTPS errors directly to the caller. Node.js HTTPS errors, however, can be fairly unspecific; e.g.:

> require('openid-client').Issuer.discover('https://self-signed.badssl.com')
Promise {
  <pending>,
  [Symbol(async_id_symbol)]: 35,
  [Symbol(trigger_async_id_symbol)]: 6
}
> Uncaught Error: self-signed certificate
    [...] {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

As a quick win, we could wrap the error message from Issuer.discover in https://github.com/mongodb-js/oidc-plugin/blob/14de2c8c18f74c3a6eb892fa180850afc9b83460/src/plugin.ts#L339 so that it indicates that the error happened while looking up issuer metadata (and what the issuer URI in question is), and include the issuer URI in the log file when starting an OIDC authentication attempt.