Help Center/ Elastic Load Balance/ FAQs/ Service Abnormality/ How Do I Check SSL/TLS Authentication Errors?

Updated on 2025-02-28 GMT+08:00

View PDF

How Do I Check SSL/TLS Authentication Errors?

When you use an HTTPS or TLS listener, there may be errors in every step of the SSL/TLS authentication negotiation. Check the potential causes described below one by one.

This section uses Java as an example to describe how to identify the cause.

Potential Cause 1: No Valid Certificates

Error message:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Cause: The load balancer does not have a valid certificate for authenticating SSL/TLS handshake requests.
Solutions:
- Check whether the certificate configured for the listener is valid.
- Check whether the cipher suite used by the TLS security policy of the listener meets the client requirements.

Potential Cause 2: Certificate Verification Failed

Error message:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause: The certificate chain may be incomplete or the certificate authority (CA) is not trusted.
Solution: Replace the listener certificate with a valid one issued by a trusted CA.

Potential Cause 3: Mismatches Between the Returned and Requested Host Names

Error message:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found

Cause: This error is commonly seen in two-way authentication scenarios. If the host name in the server certificate is different from the requested host name, the local host name verification fails.
Solution: Check whether the client has a certificate that contains the local host name.

Potential Cause 4: Incorrect TLS Security Policy Version

Error message:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Cause: The client and server cannot agree on a supported SSL/TLS protocol version or cipher suite.
Solution: Check whether the TLS protocol version and cipher suite version of the TLS security policy used by the client match those used by the listener.

Parent topic: Service Abnormality

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot