# 502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. The SSL certificate for the origin is invalid or expired.

- **ID:** `aws/cloudfront-origin-ssl-handshake-failure`
- **Domain:** aws
- **Category:** network_error
- **Error Code:** `502`
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

CloudFront cannot establish a valid SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or does not match the hostname.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| cloudfront-2020-05-31 | active | — | — |
| openssl-3.0.12 | active | — | — |

## Workarounds

1. **Renew the SSL certificate on the origin server. For an ALB, use AWS Certificate Manager (ACM) to issue a new certificate and attach it to the listener: `aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` then update.** (90% success)
   ```
   Renew the SSL certificate on the origin server. For an ALB, use AWS Certificate Manager (ACM) to issue a new certificate and attach it to the listener: `aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` then update.
   ```
2. **Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the origin domain name used in CloudFront origin settings.** (85% success)
   ```
   Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the origin domain name used in CloudFront origin settings.
   ```
3. **If the origin is an S3 bucket configured as a custom origin, use the S3 website endpoint with a valid certificate from ACM.** (75% success)
   ```
   If the origin is an S3 bucket configured as a custom origin, use the S3 website endpoint with a valid certificate from ACM.
   ```

## Dead Ends

- **Restart the origin server (e.g., EC2 or ALB)** — Restarting the server doesn't fix an expired or misconfigured certificate; the SSL issue is at the certificate level. (90% fail)
- **Disable SSL verification in CloudFront distribution settings** — CloudFront does not allow disabling SSL verification for custom origins; it always validates certificates. (95% fail)