502
api
network_error
ai_generated
true
502 错误网关:ALB 与目标之间的 SSL 握手失败
502 Bad Gateway: SSL handshake failed between ALB and target
ID: api/http-502-bad-gateway-aws-alb-ssl-handshake
82%修复率
87%置信度
1证据数
2023-11-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS ALB 2023+ | active | — | — | — |
| NGINX 1.24+ | active | — | — | — |
| Tomcat 10.x | active | — | — | — |
| Java 17+ | active | — | — | — |
| Go 1.21+ | active | — | — | — |
根因分析
AWS 应用负载均衡器 (ALB) 无法与目标建立 SSL/TLS 连接,因为目标证书是自签名的、已过期或密码套件不兼容。
English
AWS Application Load Balancer (ALB) could not establish an SSL/TLS connection with the target because the target's certificate is self-signed, expired, or the cipher suite is incompatible.
官方文档
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html#ssl-handshake-failed解决方案
-
Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt Then import server.crt into ACM and configure the target group to trust it.
-
Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
无效尝试
常见但无效的做法:
-
90% 失败
The error is due to misconfiguration, not transient state.
-
70% 失败
AWS does not allow insecure connections from ALB to targets.