{
  "id": "aws/cloudfront-custom-origin-ssl-handshake-failure",
  "signature": "502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. (Bad Gateway: SSL handshake failed)",
  "signature_zh": "502 错误 请求无法被满足。CloudFront 无法连接到源站。（错误网关：SSL 握手失败）",
  "regex": "502 ERROR The request could not be satisfied\\. CloudFront wasn't able to connect to the origin\\. \\(Bad Gateway: SSL handshake failed\\)",
  "domain": "aws",
  "category": "network_error",
  "subcategory": null,
  "root_cause": "CloudFront cannot establish a secure SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or not trusted by CloudFront (e.g., not issued by a public CA), or the origin does not support the minimum TLS version required by CloudFront.",
  "root_cause_type": "generic",
  "root_cause_zh": "CloudFront 无法与自定义源站建立安全的 SSL/TLS 连接，因为源站的 SSL 证书已过期、自签名或不被 CloudFront 信任（例如，不是由公共 CA 颁发），或者源站不支持 CloudFront 所需的最低 TLS 版本。",
  "versions": [
    {
      "version": "CloudFront (2024-05-01)",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "OpenSSL 3.0.12",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "ACM (2023-11-15)",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Adding the origin's self-signed certificate to CloudFront's trusted certificate list without ensuring the certificate chain is complete will still fail the handshake.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Disabling SSL verification entirely by setting Origin Protocol Policy to 'HTTP Only' exposes traffic to man-in-the-middle attacks and may not be allowed by security policies.",
      "fail_rate": 0.65,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Assuming the error is a DNS resolution issue and changing origin domain name without fixing the SSL certificate will not resolve the handshake failure.",
      "fail_rate": 0.4,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Ensure the origin's SSL certificate is valid and issued by a trusted public Certificate Authority (e.g., Let's Encrypt, DigiCert, AWS Certificate Manager). Use `openssl s_client -connect your-origin.com:443 -servername your-origin.com` to check the certificate chain and expiration date.",
      "success_rate": 0.95,
      "how": "Ensure the origin's SSL certificate is valid and issued by a trusted public Certificate Authority (e.g., Let's Encrypt, DigiCert, AWS Certificate Manager). Use `openssl s_client -connect your-origin.com:443 -servername your-origin.com` to check the certificate chain and expiration date.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Configure CloudFront to use a custom SSL certificate for the origin by uploading the certificate to IAM or using ACM (if the origin is an ALB). Then update the CloudFront distribution's origin settings to use 'HTTPS Only' with the custom certificate.",
      "success_rate": 0.85,
      "how": "Configure CloudFront to use a custom SSL certificate for the origin by uploading the certificate to IAM or using ACM (if the origin is an ALB). Then update the CloudFront distribution's origin settings to use 'HTTPS Only' with the custom certificate.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Set the Origin SSL Protocols in CloudFront to match the origin's supported TLS versions (e.g., TLSv1.2). In the CloudFront console, go to 'Origins' -> 'Edit' -> 'Origin SSL Protocols' and select 'TLSv1.2' or higher.",
      "success_rate": 0.8,
      "how": "Set the Origin SSL Protocols in CloudFront to match the origin's supported TLS versions (e.g., TLSv1.2). In the CloudFront console, go to 'Origins' -> 'Edit' -> 'Origin SSL Protocols' and select 'TLSv1.2' or higher.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "确保源站的 SSL 证书有效且由受信任的公共证书颁发机构（例如 Let's Encrypt、DigiCert、AWS Certificate Manager）颁发。使用 `openssl s_client -connect your-origin.com:443 -servername your-origin.com` 检查证书链和过期日期。",
    "通过将证书上传到 IAM 或使用 ACM（如果源站是 ALB）为 CloudFront 配置自定义 SSL 证书。然后将 CloudFront 分发的源站设置更新为使用自定义证书的 'HTTPS Only'。",
    "在 CloudFront 中设置 Origin SSL Protocols 以匹配源站支持的 TLS 版本（例如 TLSv1.2）。在 CloudFront 控制台中，转到 'Origins' -> 'Edit' -> 'Origin SSL Protocols' 并选择 'TLSv1.2' 或更高版本。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-origin.html",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.86,
  "fix_success_rate": 0.84,
  "resolvable": "true",
  "first_seen": "2024-06-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}