# 502 错误网关：ALB 与目标之间的 SSL 握手失败

- **ID:** `api/http-502-bad-gateway-aws-alb-ssl-handshake`
- **领域:** api
- **类别:** network_error
- **错误码:** `502`
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

AWS 应用负载均衡器 (ALB) 无法与目标建立 SSL/TLS 连接，因为目标证书是自签名的、已过期或密码套件不兼容。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS ALB 2023+ | active | — | — |
| NGINX 1.24+ | active | — | — |
| Tomcat 10.x | active | — | — |
| Java 17+ | active | — | — |
| Go 1.21+ | active | — | — |

## 解决方案

1. ```
   Install a trusted certificate on the target (e.g., from Let's Encrypt). For testing, use a self-signed certificate but upload it to ACM and attach to the ALB target group as a custom trust store. Example using OpenSSL to generate a self-signed cert for ACM:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
Then import server.crt into ACM and configure the target group to trust it.
   ```
2. ```
   Update the target's cipher suite to match ALB's supported list. ALB supports TLS 1.2+ with ciphers like ECDHE-RSA-AES128-GCM-SHA256. On NGINX, add: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
   ```

## 无效尝试

- **** — The error is due to misconfiguration, not transient state. (90% 失败率)
- **** — AWS does not allow insecure connections from ALB to targets. (70% 失败率)