{ "id": "api/http-502-bad-gateway-aws-alb-ssl-handshake", "signature": "502 Bad Gateway: SSL handshake failed between ALB and target", "signature_zh": "502 错误网关:ALB 与目标之间的 SSL 握手失败", "regex": "502 Bad Gateway: SSL handshake failed between ALB and target", "domain": "api", "category": "network_error", "subcategory": null, "root_cause": "AWS Application Load Balancer (ALB) could not establish an SSL/TLS connection with the target because the target's certificate is self-signed, expired, or the cipher suite is incompatible.", "root_cause_type": "generic", "root_cause_zh": "AWS 应用负载均衡器 (ALB) 无法与目标建立 SSL/TLS 连接,因为目标证书是自签名的、已过期或密码套件不兼容。", "versions": [ { "version": "AWS ALB 2023+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "NGINX 1.24+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Tomcat 10.x", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 17+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Go 1.21+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The error is due to misconfiguration, not transient state.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "AWS does not allow insecure connections from ALB to targets.", "fail_rate": 0.7, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM:\nopenssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt\nThen import server.crt into ACM and configure the target group to trust it.", "success_rate": 0.9, "how": "Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM:\nopenssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt\nThen import server.crt into ACM and configure the target group to trust it.", "condition": "", "sources": [] }, { "action": "Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';", "success_rate": 0.8, "how": "Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';", "condition": "", "sources": [] } ], "workarounds_zh": [ "Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM:\nopenssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt\nThen import server.crt into ACM and configure the target group to trust it.", "Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html#ssl-handshake-failed", "official_doc_section": null, "error_code": "502", "verification_tier": "ai_generated", "confidence": 0.87, "fix_success_rate": 0.82, "resolvable": "true", "first_seen": "2023-11-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }