How do I troubleshoot a 502 "The request could not be satisfied" error in CloudFront?

6 minute read
1

I configured an Amazon CloudFront distribution with a custom domain. When I request the alternative Canonical Name (CNAME) domain over CloudFront, I receive the following 502 error response: "The request could not be satisfied."

Resolution

A 502 error occurs when CloudFront can't connect to the origin. To troubleshoot this error, take the following actions based on common issues.

CloudFront can't establish a TCP connection with the origin server

CloudFront connects to the origin over port 80 (for HTTP) and port 443 (for HTTPS) by default. If the origin doesn't allow traffic over these ports, or blocks the CloudFront IP address connection, then the TCP connection fails. To resolve the 502 error, check that the CloudFront distribution's Protocol setting allows the required ports.

To test port connectivity, run the following command:

telnet ORIGIN_DOMAIN/ORIGIN_IP PORT

Note: Replace ORIGIN_DOMAIN with the origin domain ID, and ORIGIN_IP with the origin's IP address. Also, replace PORT with the port that you use to connect to the origin.

Make sure that the firewalls in your infrastructure allow the required IP address ranges.

SSL/TLS negotiation with the origin server failed

If the SSL/TLS transaction fails, then the connection between CloudFront and the origin fails. See the following sections for causes of an SSL/TLS transaction failure, and how to resolve them.

SSL certificate doesn't match the domain name

The SSL certificate at the origin must include or cover one of the following domain names:

  • The origin domain name in the certificate's Common Name field or Subject Alternative Names field.
  • The host header's domain name for incoming viewer host headers that are forwarded to the origin in the CloudFront distribution.

To check for the Common Name and Subject Alternative Names in the certificate, run the following command:

$ openssl s_client -connect DOMAIN:443 -servername SERVER_DOMAIN | openssl x509 -text | grep -E '(CN|Alternative)' -A 2

Note: Replace DOMAIN with the origin domain name and SERVER_DOMAIN with the origin domain name. Or, if the viewer host header is forwarded to the origin, then replace SERVER_DOMAIN with the incoming host header value.

If the one of the following scenarios occurs, then you must configure the cache policy or origin request policy to include the host header:

  • The origin's certificate includes the viewer host header value as either the SSL certificate's common name or the subject alternate name (SAN).
  • The host header isn't forwarded to the origin.

Origin certificate is expired, not trusted, or self-signed, or the certificate chain is in the wrong order

A trusted Certificate Authority (CA) must sign the certificate installed on the custom origin. For a list of trusted certificate authorities, see Mozilla included CA certificate list on the Mozilla website.

CloudFront doesn't support self-signed certificates for SSL set up with the origin.

To check if your origin certificate is expired, run the following OpenSSL command:

$ openssl s_client -connect DOMAIN:443 -servername SERVER_DOMAIN | openssl x509 -text | grep Validity -A 3

Note: Replace DOMAIN with the origin domain name and SERVER_DOMAIN with the origin domain name. Or, if the viewer host header is forwarded to the origin, then replace SERVER_DOMAIN with the incoming host header value.

In the output of the preceding command, find the Not Before and Not After parameters. Confirm that the current date and time is within the certificate's validity period.

Missing intermediate CA certificates or the incorrect order of intermediate certificates causes failure between HTTPS communication and the origin. To check the certificate chain, run the following command:

$ openssl s_client -showcerts -connect DOMAIN:443 -servername SERVER_DOMAIN

Note: Replace DOMAIN with the origin domain name and SERVER_DOMAIN with the origin domain name. Or, if the viewer host header is forwarded to the origin, then replace SERVER_DOMAIN with the incoming host header value.

For more information, see Requirements for using SSL/TLS certificates with CloudFront.

CloudFront doesn't support the origin's cipher suite

SSL/TLS transactions between CloudFront and Origin fail if there is no common negotiated ciphers suite. You must use supported protocols and ciphers.

Use an SSL server test tool to check if your origin's cipher suite is included on the list of supported ciphers. For more information, see SSL Server Test on the Qualys website.

CloudFront can't resolve the origin IP address

If CloudFront can't resolve the origin domain, then it returns a 502 error. To troubleshoot this issue, use a dig or nslookup command to check if the origin domain resolves to an IP address.

If you use Linux, then run the following command:

$ dig ORIGIN_DOMAIN_NAME

If you use Windows, then run the following command:

nslookup ORIGIN_DOMAIN_NAME

Note: Replace ORIGIN_DOMAIN_NAME with the origin domain name.

The preceding commands return the IP address of the origin domain name. Use a DNS checker tool to check for DNS resolution across different geographies. To view the tool, see Check DNS Propagation on the DNS Checker website.

Upstream origin issues

You can use a proxy, Content Delivery Network (CDN) hostname, or load balancer connected to the origin as a custom origin in the CloudFront distribution. If one of these intermediary services fails to connect to the origin, then you receive a 502 error. To resolve this issue, work with your origin service provider.

If you use Application Load Balancer as your origin, then see How do I troubleshoot Application Load Balancer HTTP 502 errors?

If you use Amazon API Gateway, then see How do I resolve HTTP 502 errors from API Gateway REST APIs with Lambda proxy integration?

The Lambda@Edge function associated with the CloudFront distribution failed validation

If the Lambda@Edge function returns a response to CloudFront that's not valid, then CloudFront returns a 502 error. To resolve this issue, check your Lambda@Edge function for the following common issues:

  • Returned JSON object
  • Missing required fields
  • Not valid objects in the response
  • Adding or updating is disallowed
  • Read-only headers
  • Exceeded maximum body size
  • Characters or values that are not valid

For more information, see Test and debug Lambda@Edge functions.

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago