{ "id": "aws/cloudfront-origin-ssl-handshake-failure", "signature": "502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. The SSL certificate for the origin is invalid or expired.", "signature_zh": "502 错误 无法满足请求。CloudFront 无法连接到源站。源的 SSL 证书无效或已过期。", "regex": "502 ERROR The request could not be satisfied\\. CloudFront wasn't able to connect to the origin\\. The SSL certificate for the origin is invalid or expired\\.", "domain": "aws", "category": "network_error", "subcategory": null, "root_cause": "CloudFront cannot establish a valid SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or does not match the hostname.", "root_cause_type": "generic", "root_cause_zh": "CloudFront 无法与自定义源站建立有效的 SSL/TLS 连接,因为源站的 SSL 证书已过期、自签名或与主机名不匹配。", "versions": [ { "version": "cloudfront-2020-05-31", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "openssl-3.0.12", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Restart the origin server (e.g., EC2 or ALB)", "why_fails": "Restarting the server doesn't fix an expired or misconfigured certificate; the SSL issue is at the certificate level.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "Disable SSL verification in CloudFront distribution settings", "why_fails": "CloudFront does not allow disabling SSL verification for custom origins; it always validates certificates.", "fail_rate": 0.95, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Renew the SSL certificate on the origin server. For an ALB, use AWS Certificate Manager (ACM) to issue a new certificate and attach it to the listener: `aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` then update.", "success_rate": 0.9, "how": "Renew the SSL certificate on the origin server. For an ALB, use AWS Certificate Manager (ACM) to issue a new certificate and attach it to the listener: `aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` then update.", "condition": "", "sources": [] }, { "action": "Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the origin domain name used in CloudFront origin settings.", "success_rate": 0.85, "how": "Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the origin domain name used in CloudFront origin settings.", "condition": "", "sources": [] }, { "action": "If the origin is an S3 bucket configured as a custom origin, use the S3 website endpoint with a valid certificate from ACM.", "success_rate": 0.75, "how": "If the origin is an S3 bucket configured as a custom origin, use the S3 website endpoint with a valid certificate from ACM.", "condition": "", "sources": [] } ], "workarounds_zh": [ "在源站服务器上续订 SSL 证书。对于 ALB,使用 AWS Certificate Manager (ACM) 颁发新证书并附加到监听器:`aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` 然后更新。", "确保证书的通用名称 (CN) 或主题备用名称 (SAN) 与 CloudFront 源站设置中使用的源站域名匹配。", "如果源站是配置为自定义源站的 S3 存储桶,请使用带有 ACM 有效证书的 S3 网站端点。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-response-errors.html#troubleshooting-response-errors-502", "official_doc_section": null, "error_code": "502", "verification_tier": "ai_generated", "confidence": 0.84, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2023-02-14", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }