# CloudFront request to origin timed out or failed: Origin SSL certificate does not match the origin domain name

- **ID:** `aws/cloudfront-invalid-origin-ssl`
- **Domain:** aws
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

The SSL/TLS certificate on the custom origin (e.g., ALB, EC2) does not include the origin domain name used in the CloudFront distribution's origin configuration.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| CloudFront 2023-12-20 | active | — | — |
| ALB 1.0 | active | — | — |
| ACM 2024-01-15 | active | — | — |

## Workarounds

1. **Update the SSL certificate on the origin to include the domain name used in the CloudFront origin configuration. For an ALB, use AWS Certificate Manager:
aws acm request-certificate --domain-name my-origin.example.com --validation-method DNS
# Then attach the certificate to the ALB listener.** (90% success)
   ```
   Update the SSL certificate on the origin to include the domain name used in the CloudFront origin configuration. For an ALB, use AWS Certificate Manager:
aws acm request-certificate --domain-name my-origin.example.com --validation-method DNS
# Then attach the certificate to the ALB listener.
   ```
2. **If using an ALB, set the Origin Domain Name to the ALB DNS name and ensure the certificate matches that DNS name:
# ALB DNS name: my-alb-1234567890.us-east-1.elb.amazonaws.com
# The certificate must have *.elb.amazonaws.com or the full DNS name.** (85% success)
   ```
   If using an ALB, set the Origin Domain Name to the ALB DNS name and ensure the certificate matches that DNS name:
# ALB DNS name: my-alb-1234567890.us-east-1.elb.amazonaws.com
# The certificate must have *.elb.amazonaws.com or the full DNS name.
   ```
3. **Use a custom header to bypass SSL verification for internal origins (if supported), but this is not a standard fix:
# Not recommended; instead fix the certificate.** (20% success)
   ```
   Use a custom header to bypass SSL verification for internal origins (if supported), but this is not a standard fix:
# Not recommended; instead fix the certificate.
   ```

## Dead Ends

- **Disable SSL certificate validation in CloudFront (not possible)** — CloudFront always validates SSL certificates for HTTPS origins; there is no option to disable it. (100% fail)
- **Use HTTP instead of HTTPS for the origin protocol** — Switching to HTTP bypasses SSL verification but introduces security risks and may not be allowed by policies. (50% fail)
- **Change the origin domain name to an IP address** — IP addresses are not covered by standard SSL certificates; the certificate must match the domain name in the origin configuration. (90% fail)