# 502 错误 无法满足请求。CloudFront 无法连接到源站 - SSL 握手失败

- **ID:** `aws/cloudfront-custom-origin-ssl-handshake-failed`
- **领域:** aws
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 83%

## 根因

CloudFront 无法与自定义源建立 SSL/TLS 连接，因为源的 SSL 证书无效、过期、自签名或与源域名不匹配。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| CloudFront 2024-05-01 | active | — | — |
| OpenSSL 3.0.12 | active | — | — |
| TLS 1.2 | active | — | — |

## 解决方案

1. ```
   Ensure the origin's SSL certificate is issued by a trusted CA (e.g., Let's Encrypt, DigiCert) and matches the origin domain. Use `openssl s_client -connect origin.example.com:443 -servername origin.example.com` to test the handshake.
   ```
2. ```
   If the origin uses a self-signed certificate, upload the certificate to ACM (Certificate Manager) and attach it to the CloudFront distribution: `aws acm import-certificate --certificate file://cert.pem --private-key file://privkey.pem`.
   ```
3. ```
   Configure CloudFront to use the 'Origin Domain Name' that matches the certificate's Common Name (CN) or Subject Alternative Name (SAN).
   ```

## 无效尝试

- **** — The SSL handshake still fails because the certificate issue remains; CloudFront requires a valid certificate. (70% 失败率)
- **** — This is a workaround but compromises security; it may not be allowed if the origin requires HTTPS. (40% 失败率)
- **** — The certificate issue is persistent; restarting does not fix the SSL configuration. (85% 失败率)