502
api
network_error
ai_generated
true
502 Bad Gateway: SSL handshake failed between ALB and target
ID: api/http-502-bad-gateway-aws-alb-ssl-handshake
82%Fix Rate
87%Confidence
1Evidence
2023-11-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS ALB 2023+ | active | — | — | — |
| NGINX 1.24+ | active | — | — | — |
| Tomcat 10.x | active | — | — | — |
| Java 17+ | active | — | — | — |
| Go 1.21+ | active | — | — | — |
Root Cause
AWS Application Load Balancer (ALB) could not establish an SSL/TLS connection with the target because the target's certificate is self-signed, expired, or the cipher suite is incompatible.
generic中文
AWS 应用负载均衡器 (ALB) 无法与目标建立 SSL/TLS 连接,因为目标证书是自签名的、已过期或密码套件不兼容。
Official Documentation
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html#ssl-handshake-failedWorkarounds
-
90% success Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt Then import server.crt into ACM and configure the target group to trust it.
Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt Then import server.crt into ACM and configure the target group to trust it.
-
80% success Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
中文步骤
Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt Then import server.crt into ACM and configure the target group to trust it.
Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
Dead Ends
Common approaches that don't work:
-
90% fail
The error is due to misconfiguration, not transient state.
-
70% fail
AWS does not allow insecure connections from ALB to targets.