# 502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. (Bad Gateway: SSL handshake failed) - **ID:** `aws/cloudfront-custom-origin-ssl-handshake-failure` - **Domain:** aws - **Category:** network_error - **Verification:** ai_generated - **Fix Rate:** 84% ## Root Cause CloudFront cannot establish a secure SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or not trusted by CloudFront (e.g., not issued by a public CA), or the origin does not support the minimum TLS version required by CloudFront. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | CloudFront (2024-05-01) | active | — | — | | OpenSSL 3.0.12 | active | — | — | | ACM (2023-11-15) | active | — | — | ## Workarounds 1. **Ensure the origin's SSL certificate is valid and issued by a trusted public Certificate Authority (e.g., Let's Encrypt, DigiCert, AWS Certificate Manager). Use `openssl s_client -connect your-origin.com:443 -servername your-origin.com` to check the certificate chain and expiration date.** (95% success) ``` Ensure the origin's SSL certificate is valid and issued by a trusted public Certificate Authority (e.g., Let's Encrypt, DigiCert, AWS Certificate Manager). Use `openssl s_client -connect your-origin.com:443 -servername your-origin.com` to check the certificate chain and expiration date. ``` 2. **Configure CloudFront to use a custom SSL certificate for the origin by uploading the certificate to IAM or using ACM (if the origin is an ALB). Then update the CloudFront distribution's origin settings to use 'HTTPS Only' with the custom certificate.** (85% success) ``` Configure CloudFront to use a custom SSL certificate for the origin by uploading the certificate to IAM or using ACM (if the origin is an ALB). Then update the CloudFront distribution's origin settings to use 'HTTPS Only' with the custom certificate. ``` 3. **Set the Origin SSL Protocols in CloudFront to match the origin's supported TLS versions (e.g., TLSv1.2). In the CloudFront console, go to 'Origins' -> 'Edit' -> 'Origin SSL Protocols' and select 'TLSv1.2' or higher.** (80% success) ``` Set the Origin SSL Protocols in CloudFront to match the origin's supported TLS versions (e.g., TLSv1.2). In the CloudFront console, go to 'Origins' -> 'Edit' -> 'Origin SSL Protocols' and select 'TLSv1.2' or higher. ``` ## Dead Ends - **** — Adding the origin's self-signed certificate to CloudFront's trusted certificate list without ensuring the certificate chain is complete will still fail the handshake. (50% fail) - **** — Disabling SSL verification entirely by setting Origin Protocol Policy to 'HTTP Only' exposes traffic to man-in-the-middle attacks and may not be allowed by security policies. (65% fail) - **** — Assuming the error is a DNS resolution issue and changing origin domain name without fixing the SSL certificate will not resolve the handshake failure. (40% fail)