- Newest
- Most votes
- Most comments
The issue you're experiencing with the 500 Internal Server error and Client TLS Negotiation errors in your ALB metrics is likely related to the TLS handshake between the API Gateway and your internal ALB. The TLS negotiation errors between API Gateway and ALB can be resolved through several steps. First, check the SSL cipher and protocol fields in the ALB logs to verify if there is a mismatch between the client and ALB configurations . You can examine the ALB's SSL cipher and protocol settings by using the describe-load-balancers or describe-listeners AWS CLI commands . A solution is to create a certificate that includes subjectAlternativeNames for both your API Gateway and ALB . The API Gateway should be given a Custom Domain that matches an alternative name of this certificate. For the ALB, it must listen on port 443 with TLS enabled using the same certificate . Additionally, ensure that the certificate validation status shows "Success" and hasn't expired . If you're still experiencing issues, verify that the ALB's security policy is appropriate - you may need to update to a secure TLS policy like "ELBSecurityPolicy-TLS-1-2-2017-01" . Be aware that updating TLS policies might cause compatibility issues with older clients and could introduce some performance overhead .
Relevant content
- asked 2 years ago
- asked 3 years ago
Hi, thank you for answering. The security policy is currently ELBSecurityPolicy-TLS-1-2-2017-01, but I think the issue is the certificate type is Private and is signed by AWS Private CA. Is there anyway for APIGW to verify this cert?