How do I troubleshoot issues with my CloudFront distribution's connection to a custom origin over HTTPS?

Last updated: 2021-07-09

I configured my Amazon CloudFront distribution to connect to a custom origin using HTTPS. Now, I receive the "CloudFront could not connect to Origin" error with the HTTP status code 502 (Bad Gateway).

Resolution

Verify that the CloudFront distribution's Origin Domain Name matches the certificate domain name

Verify that the Origin Domain Name specified on your CloudFront distribution matches a domain name on your origin SSL/TLS certificate. The distribution's Origin Domain Name can match either of the following:

  • The domain name specified as the certificate's Common Name (CN)
  • The domain name specified in the certificate's Subject Alternative Name (SAN)

If the Origin Domain Name doesn't match any domain name associated with your certificate, then CloudFront returns the HTTP status code 502 (Bad Gateway).

Check for any missing intermediary certificate authorities

Use an SSL checker to test whether your origin's certificate chain is available and doesn't need any intermediary certificate authorities.

If you're using Elastic Load Balancing as your custom origin and must update the certificate chain, do the following:

Upload the certificate again with the correct certificate chain.

-or-

Use AWS Certificate Manager (ACM) to request a public certificate that secures your domain. ACM is fully integrated with Elastic Load Balancing.

Test your origin's supported protocol policy and ciphers

For the SSL handshake to succeed, your origin must support the ciphers that CloudFront uses.

If your origin protocol policy has SSLv3 enabled, CloudFront uses only SSLv3 to communicate to your origin from the command line or Windows terminal.

Note: OpenSSL is usually available by default on Linux and macOS systems. OpenSSL for Windows is available on the OpenSSL website.

To test whether your origin supports the ciphers that CloudFront uses, run the following OpenSSL commands.

If your origin protocol policy is set to SSLv3, run:

echo | openssl s_client -ssl3 -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443

If your origin is using TLS, test your origin for each protocol using these commands:

For TLS, run:

echo | openssl s_client -tls1 -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443 -servername your.origin.domain

For TLS 1.1, run:

echo | openssl s_client -tls1_1 -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443 -servername your.origin.domain

For TLS 1.2, run:

echo | openssl s_client -tls1_2 -cipher 'ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443 -servername your.origin.domain

Note: Set the value of -servername to the origin domain name. Or, if you're using CloudFront to forward the Host header, set -servername to the CNAME from the CloudFront request.

If you successfully connect to the origin, you see output from the preceding commands that's similar to the following. The output confirms that your connection was successfully established using the SSL or TLS version and supported ciphers.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA256
....
Timeout : 7200 (sec)
Verify return code: 0 (ok)
----
DONE

Note: For more troubleshooting guidance on 502 errors, see HTTP 502 Status Code (Bad Gateway).


Did this article help?


Do you need billing or technical support?