I configured my Amazon CloudFront distribution to connect to a custom origin using HTTPS. Why am I getting the error "CloudFront could not connect to Origin" with the HTTP status code 502 (Bad Gateway)?

Verify that the CloudFront distribution's Origin Domain Name matches the certificate domain name

Verify that the Origin Domain Name specified on your CloudFront distribution matches a domain name on your SSL/TLS certificate. The distribution's Origin Domain Name can match either the domain name specified as the certificate's Common Name, or one of the domain names specified in the certificate's Subject Alternative Names.

If the Origin Domain Name doesn't match any domain name associated with your certificate, then CloudFront returns the HTTP status code 502 (Bad Gateway).

Check for any missing intermediary certificate authorities

Use an SSL check tool to test whether your origin's certificate chain is available and doesn't need any intermediary certificate authorities.

If you're using an Elastic Load Balancing load balancer as your custom origin and you need to update the certificate chain, you can re-upload the certificate with the correct certificate chain.

Test your origin's supported protocol policy and ciphers

For the SSL handshake to succeed, your origin must support the ciphers used by CloudFront.

If your origin protocol policy has SSLv3 enabled, CloudFront uses only SSLv3 to communicate to your origin. To test whether your origin supports the ciphers that CloudFront uses, run this OpenSSL command using SSLv3:

echo | openssl s_client -ssl3 -cipher 'ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443

If your origin is using TLS, test your origin for each protocol using these commands:

For TLS 1.0, run: 

echo | openssl s_client -tls1 -cipher 'ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443

For TLS 1.1, run: 

echo | openssl s_client -tls1_1 -cipher 'ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443

For TLS 1.2, run: 

echo | openssl s_client -tls1_2 -cipher 'ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 AES256-SHA AES128-SHA DES-CBC3-SHA RC4-MD5 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA' -connect your.origin.domain:443

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2015-12-31

Updated: 2018-10-30