aws network_error ai_generated true

502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. (Bad Gateway: SSL handshake failed)

ID: aws/cloudfront-custom-origin-ssl-handshake-failure

Also available as: JSON · Markdown · 中文
84%Fix Rate
86%Confidence
1Evidence
2024-06-20First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
CloudFront (2024-05-01) active
OpenSSL 3.0.12 active
ACM (2023-11-15) active

Root Cause

CloudFront cannot establish a secure SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or not trusted by CloudFront (e.g., not issued by a public CA), or the origin does not support the minimum TLS version required by CloudFront.

generic

中文

CloudFront 无法与自定义源站建立安全的 SSL/TLS 连接,因为源站的 SSL 证书已过期、自签名或不被 CloudFront 信任(例如,不是由公共 CA 颁发),或者源站不支持 CloudFront 所需的最低 TLS 版本。

Official Documentation

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-origin.html

Workarounds

  1. 95% success Ensure the origin's SSL certificate is valid and issued by a trusted public Certificate Authority (e.g., Let's Encrypt, DigiCert, AWS Certificate Manager). Use `openssl s_client -connect your-origin.com:443 -servername your-origin.com` to check the certificate chain and expiration date. 
    Ensure the origin's SSL certificate is valid and issued by a trusted public Certificate Authority (e.g., Let's Encrypt, DigiCert, AWS Certificate Manager). Use `openssl s_client -connect your-origin.com:443 -servername your-origin.com` to check the certificate chain and expiration date.
  2. 85% success Configure CloudFront to use a custom SSL certificate for the origin by uploading the certificate to IAM or using ACM (if the origin is an ALB). Then update the CloudFront distribution's origin settings to use 'HTTPS Only' with the custom certificate. 
    Configure CloudFront to use a custom SSL certificate for the origin by uploading the certificate to IAM or using ACM (if the origin is an ALB). Then update the CloudFront distribution's origin settings to use 'HTTPS Only' with the custom certificate.
  3. 80% success Set the Origin SSL Protocols in CloudFront to match the origin's supported TLS versions (e.g., TLSv1.2). In the CloudFront console, go to 'Origins' -> 'Edit' -> 'Origin SSL Protocols' and select 'TLSv1.2' or higher. 
    Set the Origin SSL Protocols in CloudFront to match the origin's supported TLS versions (e.g., TLSv1.2). In the CloudFront console, go to 'Origins' -> 'Edit' -> 'Origin SSL Protocols' and select 'TLSv1.2' or higher.

中文步骤

  1. 确保源站的 SSL 证书有效且由受信任的公共证书颁发机构(例如 Let's Encrypt、DigiCert、AWS Certificate Manager)颁发。使用 `openssl s_client -connect your-origin.com:443 -servername your-origin.com` 检查证书链和过期日期。
  2. 通过将证书上传到 IAM 或使用 ACM(如果源站是 ALB)为 CloudFront 配置自定义 SSL 证书。然后将 CloudFront 分发的源站设置更新为使用自定义证书的 'HTTPS Only'。
  3. 在 CloudFront 中设置 Origin SSL Protocols 以匹配源站支持的 TLS 版本(例如 TLSv1.2)。在 CloudFront 控制台中,转到 'Origins' -> 'Edit' -> 'Origin SSL Protocols' 并选择 'TLSv1.2' 或更高版本。

Dead Ends

Common approaches that don't work:

  1. 50% fail

    Adding the origin's self-signed certificate to CloudFront's trusted certificate list without ensuring the certificate chain is complete will still fail the handshake.

  2. 65% fail

    Disabling SSL verification entirely by setting Origin Protocol Policy to 'HTTP Only' exposes traffic to man-in-the-middle attacks and may not be allowed by security policies.

  3. 40% fail

    Assuming the error is a DNS resolution issue and changing origin domain name without fixing the SSL certificate will not resolve the handshake failure.