{ "id": "aws/cloudfront-invalid-origin-ssl", "signature": "CloudFront request to origin timed out or failed: Origin SSL certificate does not match the origin domain name", "signature_zh": "CloudFront向源站请求超时或失败:源站SSL证书与源站域名不匹配", "regex": "Origin SSL certificate does not match the origin domain name|SSL certificate problem", "domain": "aws", "category": "network_error", "subcategory": null, "root_cause": "The SSL/TLS certificate on the custom origin (e.g., ALB, EC2) does not include the origin domain name used in the CloudFront distribution's origin configuration.", "root_cause_type": "generic", "root_cause_zh": "自定义源站(如ALB、EC2)上的SSL/TLS证书不包含CloudFront分配源站配置中使用的源站域名。", "versions": [ { "version": "CloudFront 2023-12-20", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "ALB 1.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "ACM 2024-01-15", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Disable SSL certificate validation in CloudFront (not possible)", "why_fails": "CloudFront always validates SSL certificates for HTTPS origins; there is no option to disable it.", "fail_rate": 1.0, "condition": "", "sources": [] }, { "action": "Use HTTP instead of HTTPS for the origin protocol", "why_fails": "Switching to HTTP bypasses SSL verification but introduces security risks and may not be allowed by policies.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "Change the origin domain name to an IP address", "why_fails": "IP addresses are not covered by standard SSL certificates; the certificate must match the domain name in the origin configuration.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Update the SSL certificate on the origin to include the domain name used in the CloudFront origin configuration. For an ALB, use AWS Certificate Manager:\naws acm request-certificate --domain-name my-origin.example.com --validation-method DNS\n# Then attach the certificate to the ALB listener.", "success_rate": 0.9, "how": "Update the SSL certificate on the origin to include the domain name used in the CloudFront origin configuration. For an ALB, use AWS Certificate Manager:\naws acm request-certificate --domain-name my-origin.example.com --validation-method DNS\n# Then attach the certificate to the ALB listener.", "condition": "", "sources": [] }, { "action": "If using an ALB, set the Origin Domain Name to the ALB DNS name and ensure the certificate matches that DNS name:\n# ALB DNS name: my-alb-1234567890.us-east-1.elb.amazonaws.com\n# The certificate must have *.elb.amazonaws.com or the full DNS name.", "success_rate": 0.85, "how": "If using an ALB, set the Origin Domain Name to the ALB DNS name and ensure the certificate matches that DNS name:\n# ALB DNS name: my-alb-1234567890.us-east-1.elb.amazonaws.com\n# The certificate must have *.elb.amazonaws.com or the full DNS name.", "condition": "", "sources": [] }, { "action": "Use a custom header to bypass SSL verification for internal origins (if supported), but this is not a standard fix:\n# Not recommended; instead fix the certificate.", "success_rate": 0.2, "how": "Use a custom header to bypass SSL verification for internal origins (if supported), but this is not a standard fix:\n# Not recommended; instead fix the certificate.", "condition": "", "sources": [] } ], "workarounds_zh": [ "更新源站上的SSL证书,使其包含CloudFront源站配置中使用的域名。对于ALB,使用AWS Certificate Manager:\naws acm request-certificate --domain-name my-origin.example.com --validation-method DNS\n# 然后将证书附加到ALB监听器。", "如果使用ALB,将源站域名设置为ALB DNS名称,并确保证书匹配该DNS名称:\n# ALB DNS名称:my-alb-1234567890.us-east-1.elb.amazonaws.com\n# 证书必须包含*.elb.amazonaws.com或完整的DNS名称。", "使用自定义标头绕过内部源站的SSL验证(如果支持),但这不是标准修复:\n# 不推荐;而是修复证书。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-response-errors.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.86, "fix_success_rate": 0.88, "resolvable": "true", "first_seen": "2023-06-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }