Error 35: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Cause

This error occurs when the monitoring server fails to complete the SSL/TLS handshake with the target website.

In most real-world cases, this is not caused by outdated SSL protocols, but by an inconsistent or broken server-side TLS configuration.

A common scenario is when the domain resolves to multiple IP addresses, with at least one endpoint misconfigured.

For example:

  • One server correctly supports modern TLS (TLS 1.2 / TLS 1.3)
  • Another server fails the handshake entirely

When your uptime monitor connects to the faulty endpoint, the handshake fails with:

sslv3 alert handshake failure

Which you can see in your Location Fail Log.

Why This Happens

This issue is typically caused by one of the following:

  • Multiple A records with inconsistent SSL configurations
  • Load-balanced servers with different TLS setups
  • A partially decommissioned or outdated server is still present in DNS
  • Incorrect virtual host (vhost) configuration on one backend
  • Broken TLS configuration on one node (missing ciphers, cert mismatch, etc.)

Even if the website works in a browser, monitoring can still fail because:

  • Different requests hit different backend servers
  • Some clients (like curl or monitoring nodes) are less tolerant to TLS issues

How to Confirm

You can test each of your back-end IPs individually using:

curl -vkI --resolve your-domain.com:443:IP_ADDRESS https://your-domain.com/

If one IP works and another fails, then the issue is confirmed to be a server-side inconsistency.

Fix

To resolve this issue, ensure that all of your backend servers serving the domain are correctly configured for HTTPS.

Specifically:

  • Verify that all servers:
    – Use the same valid SSL certificate
    – Support modern TLS versions (TLS 1.2 and/or TLS 1.3)
    – Have consistent cipher configurations
  • Remove any outdated or unused IPs from DNS
  • Ensure all load-balanced nodes are properly configured

If using a CDN or reverse proxy:

  • Verify all edge nodes are properly configured
  • Purge or re-sync configurations if needed

Alternative

If you cannot immediately fix the HTTPS configuration, you can temporarily monitor the website over HTTP instead of HTTPS.

Example:

  • Change https://your-domain.com to http://your-domain.com

Note that this only avoids the SSL check and does not resolve the underlying issue.

Tagged: