502 aws network_error ai_generated true

502 错误 无法满足请求。CloudFront 无法连接到源站。源的 SSL 证书无效或已过期。

502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. The SSL certificate for the origin is invalid or expired.

ID: aws/cloudfront-origin-ssl-handshake-failure

其他格式: JSON · Markdown 中文 · English
85%修复率
84%置信度
1证据数
2023-02-14首次发现

版本兼容性

版本状态引入弃用备注
cloudfront-2020-05-31 active
openssl-3.0.12 active

根因分析

CloudFront 无法与自定义源站建立有效的 SSL/TLS 连接,因为源站的 SSL 证书已过期、自签名或与主机名不匹配。

English

CloudFront cannot establish a valid SSL/TLS connection to the custom origin because the origin's SSL certificate is expired, self-signed, or does not match the hostname.

generic

官方文档

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-response-errors.html#troubleshooting-response-errors-502

解决方案

  1. 在源站服务器上续订 SSL 证书。对于 ALB,使用 AWS Certificate Manager (ACM) 颁发新证书并附加到监听器:`aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:...` 然后更新。
  2. 确保证书的通用名称 (CN) 或主题备用名称 (SAN) 与 CloudFront 源站设置中使用的源站域名匹配。
  3. 如果源站是配置为自定义源站的 S3 存储桶,请使用带有 ACM 有效证书的 S3 网站端点。

无效尝试

常见但无效的做法:

  1. Restart the origin server (e.g., EC2 or ALB) 90% 失败

    Restarting the server doesn't fix an expired or misconfigured certificate; the SSL issue is at the certificate level.

  2. Disable SSL verification in CloudFront distribution settings 95% 失败

    CloudFront does not allow disabling SSL verification for custom origins; it always validates certificates.