When you configure CloudFront with a custom origin and use HTTPS, CloudFront might return the error "CloudFront could not connect to Origin" with the HTTP status code 502 (Bad Gateway).

These are the most common reasons for this problem:

  • Custom origin certificate name – CloudFront is unable to connect to your origin via HTTPS. This typically occurs when a custom name is specified for the origin domain name for the CloudFront distribution and the associated certificate does not have the appropriate Common Name or Subject Alternative Name.
  • CloudFront cipher limitations – CloudFront is unable to connect to your origin due to cipher limitations. CloudFront currently supports SSLv3 and TLS 1.0. Furthermore, CloudFront adds a Server Name Indication (SNI) extension and includes the value of origin domain name for the applicable origin in your distribution.
  • Intermediary certificate authority missing from certificate chain – CloudFront is unable to connect to your origin if your certificate bundle includes an intermediary certificate authority that is not included as part of the certificate chain.
  • Problems with the CloudFront/origin SSL handshake – SSL handshake issues very commonly relate to the ciphers used or the protocols supported by the origin.

Here are troubleshooting steps for each of the common causes:

  • Custom origin certificate name – Verify that you can connect to your origin over the HTTPS port with the name specified for the origin domain name. Also ensure that this name matches the associated certificate Common Name or is part of the certificate Subject Alternative Name. From a Linux command prompt, you can verify connectivity with the following command:

         curl –I https://origin.example.com

    If the certificate has the same Subject Name as the CNAME of your web distribution, ensure that you pass a header "Host" name that matches the Certificate Name.
    For more information about how to forward headers for web distributions, see Headers and Web Distributions.
  • CloudFront cipher limitations – If your certificate does not support SNI on TLS 1.0, you must not pass the header "Host", but ensure that the certificate on your custom origin is either a wildcard or has the custom origin domain name as part of Subject Alternative Name or Common Name. For more information about the cipher suites supported for use with CloudFront, see Encryption.
  • Intermediary certificate authority missing from certificate chain – Test your origin using SSL checker tools to ensure the certificate chain is available and does not require the download of additional intermediary certificate authorities. If you use an Elastic Load Balancing load balancer for your custom origin, upload the certificate again with the appropriate certificate chain. You can use the online tool https://www.ssllabs.com/ssltest/ to check for errors in the certificate chain.
  • Problems with the CloudFront/origin SSL handshake – Run the following command to simulate the CloudFront/origin SSL handshake. This command connects to the origin with the same ciphers and protocol used by CloudFront. If this command fails, there is a problem with either the ciphers and or protocols supported on the origin.

         echo | openssl s_client -ssl3 -tls1 -cipher 'ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
         AES128-SHA DES-CBC3-SHA RC4-MD5' -connect your.origin.domain:443

    Note
    Depending on which version of openssl you are using and which platform you are running it on, you might need to run this command once for each of the listed ciphers (4 total), and you might need to use single quotes when specifying the cipher(s) to be tested.

CloudFront, custom origin, HTTP status code 502, bad gateway, Could not connect to Origin, SNI, TLS, SSL, HTTPS, certificate, chain, Common Name, Subject Alternative Name


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2015-12-31