aws
network_error
ai_generated
true
502 错误 无法满足请求。CloudFront 无法连接到源站 - SSL 握手失败
502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin - SSL handshake failed
ID: aws/cloudfront-custom-origin-ssl-handshake-failed
83%修复率
86%置信度
1证据数
2024-01-22首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| CloudFront 2024-05-01 | active | — | — | — |
| OpenSSL 3.0.12 | active | — | — | — |
| TLS 1.2 | active | — | — | — |
根因分析
CloudFront 无法与自定义源建立 SSL/TLS 连接,因为源的 SSL 证书无效、过期、自签名或与源域名不匹配。
English
CloudFront cannot establish an SSL/TLS connection to the custom origin because the origin's SSL certificate is invalid, expired, self-signed, or does not match the origin domain name.
官方文档
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SSL_handshake_failure.html解决方案
-
Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.
-
If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.
-
Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).
无效尝试
常见但无效的做法:
-
70% 失败
The SSL handshake still fails because the certificate issue remains; CloudFront requires a valid certificate.
-
40% 失败
This is a workaround but compromises security; it may not be allowed if the origin requires HTTPS.
-
85% 失败
The certificate issue is persistent; restarting does not fix the SSL configuration.