How do I troubleshoot issues with my CloudFront distribution's connection to a custom origin over HTTPS?

3 minute read

I configured my Amazon CloudFront distribution to connect to a custom origin using HTTPS. Now, I receive the "CloudFront could not connect to Origin" error with the HTTP status code 502 (Bad Gateway).

Resolution

Verify that the CloudFront distribution's Origin Domain Name matches the certificate domain name

Verify that the Origin Domain Name specified on your CloudFront distribution matches a domain name on your origin SSL/TLS certificate. The distribution's Origin Domain Name can match either of the following:

The domain name specified as the certificate's Common Name (CN)
The domain name specified in the certificate's Subject Alternative Name (SAN)

If the Origin Domain Name doesn't match any domain name associated with your certificate, then CloudFront returns the HTTP status code 502 (Bad Gateway).

Check for any missing intermediary certificate authorities

Use an SSL checker to test whether your origin's certificate chain is available and doesn't need any intermediary certificate authorities.

If you're using Elastic Load Balancing as your custom origin and must update the certificate chain, then do the following:

Upload the certificate again with the correct certificate chain.

-or-

Use AWS Certificate Manager (ACM) to request a public certificate that secures your domain. ACM is fully integrated with Elastic Load Balancing.

Test your origin's supported protocol policy and ciphers

For the SSL handshake to succeed, your origin must support the ciphers that CloudFront uses.

If your origin protocol policy has SSLv3 turned on, then CloudFront uses only SSLv3 to communicate to your origin from the command line or Windows terminal.

Note: OpenSSL is usually available by default on Linux and macOS systems. OpenSSL for Windows is available on the OpenSSL website.

To test if your origin supports the ciphers that CloudFront uses, run the following OpenSSL commands.

If your origin protocol policy is set to SSLv3, then run:

echo | openssl s_client -ssl3 -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443

If your origin is using TLS, then test your origin for each protocol using these commands:

For TLS, run:

echo | openssl s_client -tls1 -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443 -servername your.origin.domain

For TLS 1.1, run:

echo | openssl s_client -tls1_1 -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443 -servername your.origin.domain

For TLS 1.2, run:

echo | openssl s_client -tls1_2 -cipher 'ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443 -servername your.origin.domain

Note: Set the value of -servername to the origin domain name. Or, if you're using CloudFront to forward the Host header, set -servername to the CNAME from the CloudFront request.

If you successfully connect to the origin, then you see output from the preceding commands that's similar to the following. The output confirms that your connection is successfully established using the SSL or TLS version and supported ciphers.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA256
....
Timeout : 7200 (sec)
Verify return code: 0 (ok)
----
DONE

Note: For more troubleshooting guidance on 502 errors, see HTTP 502 status code (Bad Gateway).

Related information

Requiring HTTPS for communication between CloudFront and your custom origin

Topics

Networking & Content Delivery

Relevant content

Cloudfront distribution for S3 Public Website - custom origin not working but S3 origin working ? Why ?
rePost-User-6753560
asked a year ago
cloudfront distribution with several origins
Accepted Answer
mm-tech
asked 2 years ago
Can a CloudFront origin be another CloudFront distribution?
gavin
asked 2 years ago
Creating CloudFront Distribution, where do I enter my domain name?
Accepted Answer
newbie
asked 2 years ago
Restrict Cloudfront Distribution domain name
bgbs
asked 10 months ago
I set custom object caching on my CloudFront distribution. Why is my distribution using the cache settings of my origin?
AWS OFFICIALUpdated 2 years ago
Why isn't CloudFront serving my domain name over HTTPS?
AWS OFFICIALUpdated a year ago
How do I troubleshoot issues related to EC2 origins in CloudFront?
AWS OFFICIALUpdated 2 years ago
How can I serve multiple domains from a CloudFront distribution over HTTPS?
AWS OFFICIALUpdated a year ago
How to troubleshoot TLS connection issues with your AWS IoT Core endpoint
EXPERT
Charlyscott237
published 7 months ago