By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

502 - Bad Gateway : CloudFront wasn't able to connect to the origin

0

My origin is an ec2 with Elastic IP. Its running a web server with self-signed certificate.. CloudFront is supposed to distribute that. From the documentation my understanding is that CloudFront should be okay with my origin running on self-signed certificate.

What I have checked:

  • I have configured origin as my ec2 DNS name using Elastic IP .. so, dns/IP would not change each time.
  • My server is listening on port 443, so domain name alone should be enough without port being mentioned
  • The CN field on my self signed certificate was wrong earlier. I fixed and the certificate now shows right domain name in Google Chrome.
  • I checked the CloudFront logs in my s3 bucket.. there is no additional information. Just "OriginConnectError"
  • If I hit the ec2 DNS directly on Chrome, Chrome just warns about the certificate, but after proceeding, site works fine. Also certificate shows CN as my ec2 domain name using Elastic IP

Please suggest why CloudFront is not able to load content from my origin. If CloudFront logs mentioned even a short reason like "Protocol too weak" or "TLS1.1 not supported by origin" or "CN mismatch" it would be so much easier!!

Other things I have tried: I ran this command to see if TLS1 for my site is working (I replaced domain with mine)...

echo | openssl s_client -tls1 -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443 -servername your.origin.domain

And the result was this (I am not sure if this result is good or bad)..

CONNECTED(00000006)
00B6370901000000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
Theodore R
asked a month ago170 views
3 Answers
4

You need to deploy a ALB with your own certificate applied for this to work. You wouldn’t need to buy a CA or certificate. You can point to your ALB or if you want to direct straight to an EC2 then use some thing like let’s encrypt cert

profile picture
EXPERT
Gary Mclean
answered a month ago
profile picture
EXPERT
Osvaldo Marte
reviewed a month ago
  • Gary Mclean EXPERT
    a month ago

    You have a domain you own and point a dns record at the IP address or dns name id the ec2. Install ssl cert for said domain on ec2. You do not need to buy any certs related to AWS domain.then point cloudfront to the dns you just created.

0

Hello Theodore,

While CloudFront can accept a self-signed certificate on the origin, ensure that:

  1. Origin Protocol Policy: CloudFront is configured to use HTTPS to communicate with the origin if the server only listens on port 443.
  2. Certificate Validity: The self-signed certificate is valid, with the correct Common Name (CN) matching the domain CloudFront is using to access the origin.
  3. Security Groups and NACLs: The EC2 instance's security group allows inbound traffic on port 443 from CloudFront IP ranges.
  4. Origin SSL Protocols: CloudFront and the EC2's web server agree on the SSL protocols and ciphers. Check CloudFront's distribution settings to ensure the SSL protocol being used is supported by your EC2 instance.

The output of the openssl command suggests that the SSL handshake isn't being completed, which could mean a protocol mismatch or other SSL configuration issue. Double-check your SSL settings on both CloudFront and the EC2 instance. If necessary, consider using an SSL/TLS checker to validate the server's SSL configuration.

Let me know if I can help with anything else.

profile picture
Vitor Castellani
answered a month ago
profile picture
EXPERT
Steve_M
reviewed a month ago
  • Theodore R
    a month ago

    Thank you for your answer. If HTTP is allowed, then why not allow self-signed certificate? Why would I buy a Trusted CA certificate for a domain name like ec2-that-elastic-ip.amazonaws.com ? That's not even the name of the domain that I own! There is probably a good reason for this... maybe HTTPS is not the right approach for ec2.

  • Theodore R
    a month ago

    Again my bad: its all explained very clearly in the docs: CloudFront uses the Host header value instead if you configure it to forward the Host header, which means that the origin’s TLS certificate must contain www.example.com in its CN or SAN. CloudFront also uses those domain names as an SNI in its initial TLS handshake. You may want to utilize this fact when using an Application Load Balancer (ALB) as an origin, because you must install a TLS certificate and its CN or SAN will not validate the default ALB domain (for example, alb-1234.us-east-1.elb.amazonaws.com) but will validate your own domain (www.example.com) instead. Alternatively, you can set a DNS record, such as origin.example.com, set the origin TLS certificate to validate that domain name, and associate the DNS record to the ALB via Amazon Route53 or another domain name server.

  • Vitor Castellani
    a month ago

    I'm glad to hear it worked out! Gary's response was spot on.

0

My bad... AWS Documentation says... "You can’t use a self-signed certificate for HTTPS communication between CloudFront and your origin." https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

However, this is confusing to me. Why would I buy a Trusted CA certificate for a domain name like ec2-that-elastic-ip.amazonaws.com ? That's not even the name of the domain that I own!

Theodore R
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content