502
aws
network_error
ai_generated
true
502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. The SSL certificate for the origin is invalid or expired.
ID: aws/cloudfront-origin-ssl-handshake-failure
85%Fix Rate
84%Confidence
1Evidence
2023-02-14First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| cloudfront-2020-05-31 | active | — | — | — |
| openssl-3.0.12 | active | — | — | — |
Root Cause
CloudFront cannot establish a valid SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or does not match the hostname.
generic中文
CloudFront 无法与自定义源站建立有效的 SSL/TLS 连接,因为源站的 SSL 证书已过期、自签名或与主机名不匹配。
Official Documentation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-response-errors.html#troubleshooting-response-errors-502Workarounds
-
90% success Renew the SSL certificate on the origin server. For an ALB, use AWS Certificate Manager (ACM) to issue a new certificate and attach it to the listener: `aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` then update.
Renew the SSL certificate on the origin server. For an ALB, use AWS Certificate Manager (ACM) to issue a new certificate and attach it to the listener: `aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` then update.
-
85% success Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the origin domain name used in CloudFront origin settings.
Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the origin domain name used in CloudFront origin settings.
-
75% success If the origin is an S3 bucket configured as a custom origin, use the S3 website endpoint with a valid certificate from ACM.
If the origin is an S3 bucket configured as a custom origin, use the S3 website endpoint with a valid certificate from ACM.
中文步骤
在源站服务器上续订 SSL 证书。对于 ALB,使用 AWS Certificate Manager (ACM) 颁发新证书并附加到监听器:`aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` 然后更新。
确保证书的通用名称 (CN) 或主题备用名称 (SAN) 与 CloudFront 源站设置中使用的源站域名匹配。
如果源站是配置为自定义源站的 S3 存储桶,请使用带有 ACM 有效证书的 S3 网站端点。
Dead Ends
Common approaches that don't work:
-
Restart the origin server (e.g., EC2 or ALB)
90% fail
Restarting the server doesn't fix an expired or misconfigured certificate; the SSL issue is at the certificate level.
-
Disable SSL verification in CloudFront distribution settings
95% fail
CloudFront does not allow disabling SSL verification for custom origins; it always validates certificates.