# 502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin - SSL handshake failed

- **ID:** `aws/cloudfront-custom-origin-ssl-handshake-failed`
- **Domain:** aws
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 83%

## Root Cause

CloudFront cannot establish an SSL/TLS connection to the custom origin because the origin's SSL certificate is invalid, expired, self-signed, or does not match the origin domain name.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| CloudFront 2024-05-01 | active | — | — |
| OpenSSL 3.0.12 | active | — | — |
| TLS 1.2 | active | — | — |

## Workarounds

1. **Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.** (90% success)
   ```
   Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.
   ```
2. **If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.** (80% success)
   ```
   If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.
   ```
3. **Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).** (85% success)
   ```
   Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).
   ```

## Dead Ends

- **** — The SSL handshake still fails because the certificate issue remains; CloudFront requires a valid certificate. (70% fail)
- **** — This is a workaround but compromises security; it may not be allowed if the origin requires HTTPS. (40% fail)
- **** — The certificate issue is persistent; restarting does not fix the SSL configuration. (85% fail)