# 502 Bad Gateway: SSL handshake failed between ALB and target

- **ID:** `api/http-502-bad-gateway-aws-alb-ssl-handshake`
- **Domain:** api
- **Category:** network_error
- **Error Code:** `502`
- **Verification:** ai_generated
- **Fix Rate:** 82%

## Root Cause

AWS Application Load Balancer (ALB) could not establish an SSL/TLS connection with the target because the target's certificate is self-signed, expired, or the cipher suite is incompatible.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS ALB 2023+ | active | — | — |
| NGINX 1.24+ | active | — | — |
| Tomcat 10.x | active | — | — |
| Java 17+ | active | — | — |
| Go 1.21+ | active | — | — |

## Workarounds

1. **Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
Then import server.crt into ACM and configure the target group to trust it.** (90% success)
   ```
   Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
Then import server.crt into ACM and configure the target group to trust it.
   ```
2. **Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';** (80% success)
   ```
   Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
   ```

## Dead Ends

- **** — The error is due to misconfiguration, not transient state. (90% fail)
- **** — AWS does not allow insecure connections from ALB to targets. (70% fail)