502 错误 请求无法被满足。CloudFront 无法连接到源站。(错误网关:SSL 握手失败)
502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. (Bad Gateway: SSL handshake failed)
ID: aws/cloudfront-custom-origin-ssl-handshake-failure
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| CloudFront (2024-05-01) | active | — | — | — |
| OpenSSL 3.0.12 | active | — | — | — |
| ACM (2023-11-15) | active | — | — | — |
根因分析
CloudFront 无法与自定义源站建立安全的 SSL/TLS 连接,因为源站的 SSL 证书已过期、自签名或不被 CloudFront 信任(例如,不是由公共 CA 颁发),或者源站不支持 CloudFront 所需的最低 TLS 版本。
English
CloudFront cannot establish a secure SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or not trusted by CloudFront (e.g., not issued by a public CA), or the origin does not support the minimum TLS version required by CloudFront.
官方文档
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-origin.html解决方案
-
确保源站的 SSL 证书有效且由受信任的公共证书颁发机构(例如 Let's Encrypt、DigiCert、AWS Certificate Manager)颁发。使用 `openssl s_client -connect your-origin.com:443 -servername your-origin.com` 检查证书链和过期日期。
-
通过将证书上传到 IAM 或使用 ACM(如果源站是 ALB)为 CloudFront 配置自定义 SSL 证书。然后将 CloudFront 分发的源站设置更新为使用自定义证书的 'HTTPS Only'。
-
在 CloudFront 中设置 Origin SSL Protocols 以匹配源站支持的 TLS 版本(例如 TLSv1.2)。在 CloudFront 控制台中,转到 'Origins' -> 'Edit' -> 'Origin SSL Protocols' 并选择 'TLSv1.2' 或更高版本。
无效尝试
常见但无效的做法:
-
50% 失败
Adding the origin's self-signed certificate to CloudFront's trusted certificate list without ensuring the certificate chain is complete will still fail the handshake.
-
65% 失败
Disabling SSL verification entirely by setting Origin Protocol Policy to 'HTTP Only' exposes traffic to man-in-the-middle attacks and may not be allowed by security policies.
-
40% 失败
Assuming the error is a DNS resolution issue and changing origin domain name without fixing the SSL certificate will not resolve the handshake failure.