DevOpsFixes
Nginx
 Jan 4, 2026 5 min read

Fix Nginx SSL Handshake Failures

TLS errors from clients or curl, and how to read OpenSSL output to pinpoint the cause.

Problem

bash
SSL_ERROR_HANDSHAKE_FAILURE_ALERT or 'no shared cipher'

Root cause

  • Server cert chain is incomplete (intermediate missing).
  • Client and server share no TLS version (e.g. client only supports TLS 1.0).
  • SNI mismatch — the requested hostname isn't served.
  • Self-signed cert in a chain the client doesn't trust.

Solution

Inspect the live chain

bash
openssl s_client -connect example.com:443 -servername example.com -showcerts

Serve the full chain in Nginx

nginx
server {
  listen 443 ssl;
  server_name example.com;
  ssl_certificate     /etc/ssl/fullchain.pem;   # cert + intermediates
  ssl_certificate_key /etc/ssl/privkey.pem;
  ssl_protocols       TLSv1.2 TLSv1.3;
}

Frequently asked questions

More Nginx fixes

Related fixes

Nginx
5 min

Fix Nginx 502 Bad Gateway

Nginx is healthy, but every request 502s. The upstream is the suspect — here's how to confirm and fix.

#502#upstream#proxy
Nginx
3 min

Fix Nginx 413 Request Entity Too Large

Allow larger uploads by raising `client_max_body_size` in the right server block.

#uploads#client_max_body_size
Weekly digest

One DevOps fix in your inbox each week

Short, practical, no fluff. Real errors, real fixes — straight from production postmortems.