Help Center/
Elastic Load Balance/
FAQs/
Service Abnormality/
How Do I Check SSL/TLS Authentication Errors?
Updated on 2025-02-28 GMT+08:00
How Do I Check SSL/TLS Authentication Errors?
When you use an HTTPS or TLS listener, there may be errors in every step of the SSL/TLS authentication negotiation. Check the potential causes described below one by one.
This section uses Java as an example to describe how to identify the cause.
Potential Cause 1: No Valid Certificates
- Error message:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
- Cause: The load balancer does not have a valid certificate for authenticating SSL/TLS handshake requests.
- Solutions:
- Check whether the certificate configured for the listener is valid.
- Check whether the cipher suite used by the TLS security policy of the listener meets the client requirements.
Potential Cause 2: Certificate Verification Failed
- Error message:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Cause: The certificate chain may be incomplete or the certificate authority (CA) is not trusted.
- Solution: Replace the listener certificate with a valid one issued by a trusted CA.
Potential Cause 3: Mismatches Between the Returned and Requested Host Names
- Error message:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
- Cause: This error is commonly seen in two-way authentication scenarios. If the host name in the server certificate is different from the requested host name, the local host name verification fails.
- Solution: Check whether the client has a certificate that contains the local host name.
Potential Cause 4: Incorrect TLS Security Policy Version
- Error message:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
- Cause: The client and server cannot agree on a supported SSL/TLS protocol version or cipher suite.
- Solution: Check whether the TLS protocol version and cipher suite version of the TLS security policy used by the client match those used by the listener.
Parent topic: Service Abnormality
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot