By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to run Cloudfront with Lightsail

0

We dont have much info about coding but if someone can guide us how to solve 502 error. The request could not be satisfied. have come down to this is due to certificate on lighsail which should include cloudfront domain. but i m not able to properly revoke the old certificate that is installed on lightsail instance. All i need is a proper guide to revoke the certificate. have installed this time with lego. then we can include the cloudfront domain in the new certificate and then this should work. (Revoking the BNCert issued certificate for your domain. Then, follow this guide (https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach 33 ) for installation of certificates with Lego, with only one exception, when you issue this command " sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" " run, don't use --tls, use --http instead. You also (in addition to yourdomain.com and www.yourdomain.com) need to have a --domains="xxx.cloudfront.net" entry in there to cover a SAN for the CloudFront distribution.)

  • AWS-User-4417165
    2 years ago

    also i had revoked the certificate with a command earlier but then received authentication errors while installing the new certificate for both domains but when installed only on main domain, the certificate installed without any problems this time(Had done with lego this time, earlier it was bncert)

Topics
ComputeNetworking & Content Delivery
Tags
Amazon LightsailAmazon CloudFront
Language
English
AWS-User-4417165
asked 2 years ago1322 views
1 Answer
0

Hi,

I understand you are getting a 502 error when trying to connect Cloudfront with lightsail and you can’t revoke your certificate.Please correct me if I misunderstood.

HTTP 502 errors from Cloudfront can occur because of the following reasons:

1)There's an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren't supported by CloudFront.

2)There's an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid.

3)There's a host header mismatch in the SSL negotiation between your CloudFront distribution and the custom origin.

To solve the 502 error please follow this link [1] for instructions .

With regards to revoking the original certificate installed on the Lightsail instance, for this you will need to contact the certificate authority that issued the certificate. From your post it also appears that you would like to revoke the certificate as it does not include the CloudFront domain. Note that if you are accessing the application using the CloudFront URL e.g "d111111abcdef8.cloudfront.net" and you are refereeing to this domain "cloudfront.net" then this should not be added to your certificate. If you are accessing CloudFront using your own custom domain then the custom domain name should be included on your certificate and should also be added as an alternate domain to the CF distribution[2]. The host header (domain) in the request should match a domain covered by the certificate. DNS should also be updated to point your custom domain to your CF distribution.

I hope this was helpful!

Reference

[1] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html

[2] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html

Karabo
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content