ERROR

How to Fix Alibaba Cloud SSL-Handshake-Failed

Quick Fix Summary

TL;DR

Immediately renew and re-upload your expired SSL certificate in the SLB console.

The SSL handshake fails when a client (browser) cannot establish a secure connection with an Alibaba Cloud Server Load Balancer (SLB). This is most commonly caused by an expired, mismatched, or incorrectly configured SSL certificate on the SLB listener.

Diagnosis & Causes

  • Expired SSL certificate on the SLB listener.
  • Certificate's Common Name (CN) does not match the domain.
  • Incorrect certificate chain uploaded (missing intermediate CA).
  • SLB listener protocol mismatch (e.g., HTTPS listener using HTTP backend).
  • Client or SLB security policy enforcing outdated TLS versions.

    • Recovery Steps

    1

    Step 1: Verify & Renew the SSL Certificate

    First, check the certificate's validity in the Alibaba Cloud Console and renew it if expired. An expired certificate is the most common cause of immediate, widespread failure.

    bash 
    # Check certificate expiry using OpenSSL (replace your-domain.com)
openssl s_client -connect your-domain.com:443 -servername your-domain.com 2>/dev/null | openssl x509 -noout -dates
    2

    Step 2: Re-upload the Full Certificate Chain in SLB

    In the SLB console, you must upload the full PEM bundle: your server certificate + the intermediate CA certificate(s). Missing intermediates is a frequent misconfiguration.

    text 
    # A correct PEM file should look like this:
-----BEGIN CERTIFICATE-----
(Your Server Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA Certificate)
-----END CERTIFICATE-----
    3

    Step 3: Validate SLB Listener Configuration

    Ensure the SLB HTTPS listener (port 443) is correctly bound to the updated certificate and that the backend protocol matches your server setup (HTTP/HTTPS).

    bash 
    # Use curl to test the handshake and protocol from a client perspective
curl -Iv https://your-domain.com --tlsv1.2 --tls-max 1.3
    4

    Step 4: Check Security Policies & Cipher Suites

    If the issue persists, the SLB's security policy or cipher suite may be incompatible with modern clients. Test with an SSL checker and adjust the policy if needed.

    bash 
    # Use an online tool or test locally for compatibility
nmap --script ssl-enum-ciphers -p 443 your-domain.com

    Architect's Pro Tip

    "For zero-downtime renewal, upload the new certificate to the SLB as an *additional* certificate first, then switch the listener to use it, before deleting the old one."

    Frequently Asked Questions

    I renewed my certificate, but users still get the error. Why?

    Browser and OS caching. The old, expired certificate may be cached. Clear the SSL state in your browser/OS, or wait for the cache to expire (can take hours). The SLB itself updates immediately.

    Can an SSL handshake failure cause a 502 Bad Gateway error?

    Yes. If the SLB's HTTPS listener cannot perform a handshake with the backend server (e.g., using backend HTTPS with an invalid cert), it will return a 502 error to the client.

    Related Alibaba Cloud Guides

    InvalidAccessKeyId

    How to Fix Alibaba Cloud InvalidAccessKeyId.NotFound
    Throttling.User

    How to Fix Alibaba Cloud Throttling.User API Limit
    Node NotReady

    How to Fix Alibaba Cloud Node NotReady