The HTTP connection between my CloudFront distribution and load balancer works, but the HTTPS connection fails. Why?
Last updated: 2019-06-21
I'm using a Classic Load Balancer or Application Load Balancer as the origin for my Amazon CloudFront distribution. I have HTTPS and HTTP listeners configured on my load balancer, but the HTTPS communication between CloudFront and my load balancer fails. If I change the origin protocol policy on my distribution to HTTP only, the connection works. How can I resolve the HTTPS communication issues?
The HTTPS communication failure might be caused by issues with the associated SSL certificate, security groups, or network access control list (ACL). Be sure that your distribution and load balancer meet the following security requirements:
- You must have a valid SSL certificate installed on the load balancer. If you're still getting HTTPS errors after installing an SSL certificate, troubleshoot the SSL connection between Amazon CloudFront and the custom origin server.
- If your CloudFront distribution connects to your load balancer on port 443, the security groups associated with your load balancer must allow traffic on port 443 from CloudFront IP addresses. For more information on updating security groups, see Configure Security Groups for Your Classic Load Balancer or Security Groups for Your Application Load Balancer.
- The network ACLs associated with your load balancer's Amazon Virtual Private Cloud (VPC) must allow traffic from CloudFront on HTTPS ports (typically port 443).
Note: Application Load Balancers support multiple TLS certificates with smart selection using Server Name Indication (SNI). If you're whitelisting the host header on your CloudFront distribution, verify that the Application Load Balancer has a TLS certificate configured with the same name. Otherwise, the Application Load Balancer offers its default certificate, which might not match the SNI associated with the ClientHello message from CloudFront.