aws
network_error
ai_generated
true
CloudFront request to origin timed out or failed: Origin SSL certificate does not match the origin domain name
ID: aws/cloudfront-invalid-origin-ssl
88%Fix Rate
86%Confidence
1Evidence
2023-06-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| CloudFront 2023-12-20 | active | — | — | — |
| ALB 1.0 | active | — | — | — |
| ACM 2024-01-15 | active | — | — | — |
Root Cause
The SSL/TLS certificate on the custom origin (e.g., ALB, EC2) does not include the origin domain name used in the CloudFront distribution's origin configuration.
generic中文
自定义源站(如ALB、EC2)上的SSL/TLS证书不包含CloudFront分配源站配置中使用的源站域名。
Official Documentation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-response-errors.htmlWorkarounds
-
90% success Update the SSL certificate on the origin to include the domain name used in the CloudFront origin configuration. For an ALB, use AWS Certificate Manager: aws acm request-certificate --domain-name my-origin.example.com --validation-method DNS # Then attach the certificate to the ALB listener.
Update the SSL certificate on the origin to include the domain name used in the CloudFront origin configuration. For an ALB, use AWS Certificate Manager: aws acm request-certificate --domain-name my-origin.example.com --validation-method DNS # Then attach the certificate to the ALB listener.
-
85% success If using an ALB, set the Origin Domain Name to the ALB DNS name and ensure the certificate matches that DNS name: # ALB DNS name: my-alb-1234567890.us-east-1.elb.amazonaws.com # The certificate must have *.elb.amazonaws.com or the full DNS name.
If using an ALB, set the Origin Domain Name to the ALB DNS name and ensure the certificate matches that DNS name: # ALB DNS name: my-alb-1234567890.us-east-1.elb.amazonaws.com # The certificate must have *.elb.amazonaws.com or the full DNS name.
-
20% success Use a custom header to bypass SSL verification for internal origins (if supported), but this is not a standard fix: # Not recommended; instead fix the certificate.
Use a custom header to bypass SSL verification for internal origins (if supported), but this is not a standard fix: # Not recommended; instead fix the certificate.
中文步骤
更新源站上的SSL证书,使其包含CloudFront源站配置中使用的域名。对于ALB,使用AWS Certificate Manager: aws acm request-certificate --domain-name my-origin.example.com --validation-method DNS # 然后将证书附加到ALB监听器。
如果使用ALB,将源站域名设置为ALB DNS名称,并确保证书匹配该DNS名称: # ALB DNS名称:my-alb-1234567890.us-east-1.elb.amazonaws.com # 证书必须包含*.elb.amazonaws.com或完整的DNS名称。
使用自定义标头绕过内部源站的SSL验证(如果支持),但这不是标准修复: # 不推荐;而是修复证书。
Dead Ends
Common approaches that don't work:
-
Disable SSL certificate validation in CloudFront (not possible)
100% fail
CloudFront always validates SSL certificates for HTTPS origins; there is no option to disable it.
-
Use HTTP instead of HTTPS for the origin protocol
50% fail
Switching to HTTP bypasses SSL verification but introduces security risks and may not be allowed by policies.
-
Change the origin domain name to an IP address
90% fail
IP addresses are not covered by standard SSL certificates; the certificate must match the domain name in the origin configuration.