Help Center/ Elastic Load Balance/ FAQs/ Service Abnormality/ How Do I Check SSL/TLS Authentication Errors?
Updated on 2025-02-28 GMT+08:00

How Do I Check SSL/TLS Authentication Errors?

When you use an HTTPS or TLS listener, there may be errors in every step of the SSL/TLS authentication negotiation. Check the potential causes described below one by one.

This section uses Java as an example to describe how to identify the cause.

Potential Cause 1: No Valid Certificates

  • Error message:
    Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  • Cause: The load balancer does not have a valid certificate for authenticating SSL/TLS handshake requests.
  • Solutions:
    • Check whether the certificate configured for the listener is valid.
    • Check whether the cipher suite used by the TLS security policy of the listener meets the client requirements.

Potential Cause 2: Certificate Verification Failed

  • Error message:
    Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • Cause: The certificate chain may be incomplete or the certificate authority (CA) is not trusted.
  • Solution: Replace the listener certificate with a valid one issued by a trusted CA.

Potential Cause 3: Mismatches Between the Returned and Requested Host Names

  • Error message:
    Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
  • Cause: This error is commonly seen in two-way authentication scenarios. If the host name in the server certificate is different from the requested host name, the local host name verification fails.
  • Solution: Check whether the client has a certificate that contains the local host name.

Potential Cause 4: Incorrect TLS Security Policy Version

  • Error message:
    Exception in thread "main" javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
  • Cause: The client and server cannot agree on a supported SSL/TLS protocol version or cipher suite.
  • Solution: Check whether the TLS protocol version and cipher suite version of the TLS security policy used by the client match those used by the listener.