aws
network_error
ai_generated
true
502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin - SSL handshake failed
ID: aws/cloudfront-custom-origin-ssl-handshake-failed
83%Fix Rate
86%Confidence
1Evidence
2024-01-22First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| CloudFront 2024-05-01 | active | — | — | — |
| OpenSSL 3.0.12 | active | — | — | — |
| TLS 1.2 | active | — | — | — |
Root Cause
CloudFront cannot establish an SSL/TLS connection to the custom origin because the origin's SSL certificate is invalid, expired, self-signed, or does not match the origin domain name.
generic中文
CloudFront 无法与自定义源建立 SSL/TLS 连接,因为源的 SSL 证书无效、过期、自签名或与源域名不匹配。
Official Documentation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SSL_handshake_failure.htmlWorkarounds
-
90% success Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.
Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.
-
80% success If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.
If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.
-
85% success Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).
Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).
中文步骤
Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.
If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.
Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).
Dead Ends
Common approaches that don't work:
-
70% fail
The SSL handshake still fails because the certificate issue remains; CloudFront requires a valid certificate.
-
40% fail
This is a workaround but compromises security; it may not be allowed if the origin requires HTTPS.
-
85% fail
The certificate issue is persistent; restarting does not fix the SSL configuration.