{ "id": "aws/cloudfront-custom-origin-ssl-handshake-failed", "signature": "502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin - SSL handshake failed", "signature_zh": "502 错误 无法满足请求。CloudFront 无法连接到源站 - SSL 握手失败", "regex": "502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin - SSL handshake failed", "domain": "aws", "category": "network_error", "subcategory": null, "root_cause": "CloudFront cannot establish an SSL/TLS connection to the custom origin because the origin's SSL certificate is invalid, expired, self-signed, or does not match the origin domain name.", "root_cause_type": "generic", "root_cause_zh": "CloudFront 无法与自定义源建立 SSL/TLS 连接,因为源的 SSL 证书无效、过期、自签名或与源域名不匹配。", "versions": [ { "version": "CloudFront 2024-05-01", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "OpenSSL 3.0.12", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "TLS 1.2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The SSL handshake still fails because the certificate issue remains; CloudFront requires a valid certificate.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "This is a workaround but compromises security; it may not be allowed if the origin requires HTTPS.", "fail_rate": 0.4, "condition": "", "sources": [] }, { "action": "", "why_fails": "The certificate issue is persistent; restarting does not fix the SSL configuration.", "fail_rate": 0.85, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.", "success_rate": 0.9, "how": "Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.", "condition": "", "sources": [] }, { "action": "If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.", "success_rate": 0.8, "how": "If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.", "condition": "", "sources": [] }, { "action": "Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).", "success_rate": 0.85, "how": "Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).", "condition": "", "sources": [] } ], "workarounds_zh": [ "Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.", "If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.", "Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN)." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SSL_handshake_failure.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.86, "fix_success_rate": 0.83, "resolvable": "true", "first_seen": "2024-01-22", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }