GCP Load Balancer SSL Handshake Failed: Troubleshooting Guide
Quick Fix Summary
TL;DRVerify your SSL certificate is valid and the backend service's SSL policy matches the client's supported protocols.
This error occurs when the Google Cloud Load Balancer's SSL proxy cannot establish a secure TLS connection with the client or backend. The handshake fails due to incompatible SSL/TLS versions or cipher suites between the negotiating parties.
Diagnosis & Causes
Recovery Steps
Step 1: Diagnose with OpenSSL s_client
Test the SSL/TLS connectivity directly to your load balancer's IP to see the exact handshake failure from a client perspective.
openssl s_client -connect YOUR_LOAD_BALANCER_IP:443 -tls1_2
openssl s_client -connect YOUR_LOAD_BALANCER_IP:443 -tls1_3Step 2: Verify Certificate and Chain
Check that your SSL certificate is active, properly attached to the target proxy, and has a complete chain.
gcloud compute ssl-certificates describe YOUR_CERT_NAME --global
echo | openssl s_client -connect YOUR_LOAD_BALANCER_IP:443 2>/dev/null | openssl x509 -noout -datesStep 3: Inspect the Load Balancer's SSL Policy
Review the SSL policy attached to your target HTTPS proxy. Ensure it allows modern TLS versions (TLS 1.2+) and compatible ciphers.
gcloud compute target-https-proxies describe YOUR_TARGET_PROXY --global --format="value(sslPolicy)"
gcloud compute ssl-policies describe POLICY_NAME --global --format="json(minTlsVersion, profile, enabledFeatures)"Step 4: Update or Recreate the SSL Policy
If the policy is too restrictive, update it to use the 'MODERN' or 'RESTRICTED' profile, which ensures broad client compatibility.
gcloud compute ssl-policies update YOUR_POLICY --profile=MODERN --min-tls-version=1.2
gcloud compute ssl-policies create lb-ssl-policy-modern --profile=MODERN --min-tls-version=1.2Step 5: Check Backend Service Health & Firewall
Ensure the backend instance group is healthy and that the GCP firewall allows traffic from the load balancer's health check IP ranges (130.211.0.0/22, 35.191.0.0/16).
gcloud compute backend-services get-health YOUR_BACKEND_SERVICE --global
gcloud compute firewall-rules list --filter="name~gke" --format="table(name, sourceRanges, allowed)"Step 6: Review Cloud Logging for Load Balancer Errors
Search the load balancer logs in Cloud Logging for detailed 502 errors or SSL negotiation failures.
gcloud logging read 'resource.type="http_load_balancer" AND jsonPayload.statusDetails="ssl_protocol_error"' --limit=10 --format="table(timestamp, jsonPayload)"Architect's Pro Tip
"For internal applications, create a custom SSL policy with the 'CUSTOM' profile and explicitly enable only the specific cipher suites your corporate clients support to maximize security."
Frequently Asked Questions
Does the GCP Load Balancer terminate SSL?
Yes, the Global External HTTP(S) Load Balancer acts as an SSL proxy, terminating the client TLS connection. It then initiates a separate connection (HTTP or HTTPS) to your backend instances.
Can I use a self-signed certificate on a GCP Load Balancer?
No. GCP Load Balancers require a valid SSL certificate from a Certificate Authority (CA) trusted by public browsers or your specific client systems. Self-signed certificates will cause this error.
My backend requires HTTPS. Why am I getting this error?
This error is between the *client and the load balancer*, not the load balancer and your backend. Ensure the client's request (e.g., browser, curl) is compatible with the load balancer's frontend SSL policy.