We as far as aware that AWS Documentation guide has a reason that SNI hostname not matched when CloudFront respond 502 status code. I've understood, totally SNI hostname in ClientHello should be matched on the Custom origin certification SNI list, Only then, can normally next steps for a handshake.
https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html#ssl-negotitation-failure
Today, I've other things do checking about a custom origin certification. So I found out in there has another matched domain certificate file pared in web service. But CloudFront responses no any issues no even doesn't response 502 status. (???)
In these servers, Custom Origin expiration date enough remained. But when I've tested to expired certificate file after renewed on web service, Then CloudFront respond 502 status.
I thought might be CloudFront Origin certificate validation procced changed softly that overlook(insecure) to hostname matches on SNI field.
Is that right my guess?