aws network_error ai_generated true

CloudFront向源站请求超时或失败:源站SSL证书与源站域名不匹配

CloudFront request to origin timed out or failed: Origin SSL certificate does not match the origin domain name

ID: aws/cloudfront-invalid-origin-ssl

其他格式: JSON · Markdown 中文 · English
88%修复率
86%置信度
1证据数
2023-06-15首次发现

版本兼容性

版本状态引入弃用备注
CloudFront 2023-12-20 active
ALB 1.0 active
ACM 2024-01-15 active

根因分析

自定义源站(如ALB、EC2)上的SSL/TLS证书不包含CloudFront分配源站配置中使用的源站域名。

English

The SSL/TLS certificate on the custom origin (e.g., ALB, EC2) does not include the origin domain name used in the CloudFront distribution's origin configuration.

generic

官方文档

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-response-errors.html

解决方案

  1. 更新源站上的SSL证书,使其包含CloudFront源站配置中使用的域名。对于ALB,使用AWS Certificate Manager:
aws acm request-certificate --domain-name my-origin.example.com --validation-method DNS
# 然后将证书附加到ALB监听器。
  2. 如果使用ALB,将源站域名设置为ALB DNS名称,并确保证书匹配该DNS名称:
# ALB DNS名称:my-alb-1234567890.us-east-1.elb.amazonaws.com
# 证书必须包含*.elb.amazonaws.com或完整的DNS名称。
  3. 使用自定义标头绕过内部源站的SSL验证(如果支持),但这不是标准修复:
# 不推荐;而是修复证书。

无效尝试

常见但无效的做法:

  1. Disable SSL certificate validation in CloudFront (not possible) 100% 失败

    CloudFront always validates SSL certificates for HTTPS origins; there is no option to disable it.

  2. Use HTTP instead of HTTPS for the origin protocol 50% 失败

    Switching to HTTP bypasses SSL verification but introduces security risks and may not be allowed by policies.

  3. Change the origin domain name to an IP address 90% 失败

    IP addresses are not covered by standard SSL certificates; the certificate must match the domain name in the origin configuration.