The HTTP connection between my CloudFront distribution and load balancer works, but the HTTPS connection fails. Why?

Last updated: 2019-06-21

I'm using a Classic Load Balancer or Application Load Balancer as the origin for my Amazon CloudFront distribution. I have HTTPS and HTTP listeners configured on my load balancer, but the HTTPS communication between CloudFront and my load balancer fails. If I change the origin protocol policy on my distribution to HTTP only, the connection works. How can I resolve the HTTPS communication issues? 

Resolution

The HTTPS communication failure might be caused by issues with the associated SSL certificate, security groups, or network access control list (ACL). Be sure that your distribution and load balancer meet the following security requirements:

Note: Application Load Balancers support multiple TLS certificates with smart selection using Server Name Indication (SNI). If you're whitelisting the host header on your CloudFront distribution, verify that the Application Load Balancer has a TLS certificate configured with the same name. Otherwise, the Application Load Balancer offers its default certificate, which might not match the SNI associated with the ClientHello message from CloudFront.


Did this article help you?

Anything we could improve?


Need more help?