Introduction
An SSL handshake failure means the client and server could not agree on how to establish a secure connection. The request fails before normal HTTP traffic begins, so the problem usually lives in certificates, TLS protocols, ciphers, or the path between a proxy and the origin.
Symptoms
- Browsers or monitors report
SSL handshake failed - HTTPS requests fail before any page content loads
- The issue appears only for certain clients, proxies, or APIs
- CDN or load balancer logs show TLS negotiation errors
- Direct origin tests behave differently from the public hostname
Common Causes
- The certificate chain is incomplete or broken
- The server only allows outdated or incompatible TLS versions
- Cipher suites do not overlap between client and server
- SNI or hostname routing sends the request to the wrong certificate
- A CDN, load balancer, or reverse proxy uses stricter TLS settings than the origin supports
Step-by-Step Fix
- Test the affected hostname with an SSL inspection tool and capture the exact handshake or certificate error returned.
- Verify the server presents the correct certificate for the requested hostname, especially if multiple domains share the same IP.
- Confirm the full certificate chain is installed, including required intermediate certificates.
- Check the enabled TLS versions and cipher suites on the server, CDN, or load balancer and compare them with the failing client requirements.
- If a proxy sits in front of the origin, test both proxy-to-client and proxy-to-origin TLS connections separately.
- Review recent certificate renewals, load balancer changes, or origin migrations that may have altered SNI, ports, or trust settings.
- Replace expired or mismatched certificates and align TLS policies so modern secure clients can negotiate successfully.
- Re-test with browsers, command-line TLS tools, and any affected API integrations to confirm the handshake now completes cleanly.
- Set up renewal and certificate-chain monitoring so the next failure is caught before users see it.