How do I troubleshoot a 502: "The request could not be satisfied" error from CloudFront?

Short description

A 502 error occurs when CloudFront is unable to connect to the origin. See the following sections for the causes of the error, and how to troubleshoot.

Resolution

CloudFront can't establish a TCP connection with the origin server

By default, CloudFront connects to the origin over port 80 (for HTTP) and port 443 (for HTTPS). If the origin doesn't allow traffic over these ports, or blocks the CloudFront IP address's connection, then the TCP connection fails. The failure produces a 502 error. To resolve, confirm that the CloudFront distribution's Protocol setting is set to the correct port for HTTP or HTTPS connections.

To test port connectivity, run the following command:

telnet ORIGIN_DOMAIN/ORIGIN_IP PORT

Note: For ORIGIN_DOMAIN, enter the ID of your origin domain. For ORIGIN_IP, enter the IP address of your origin. For PORT, enter the port number you're using to connect to the origin.

SSL/TLS negotiation with the origin server failed

If the SSL/TLS transaction fails, then the connection between CloudFront and the origin fails and produces a 502 error. See the following sections for causes of an SSL/TLS transaction failure, and how to resolve them.

SSL certificate doesn't match the domain name

The SSL certificate at the origin must include or cover one of the following domain names:

• The origin domain name in the certificate's Common Name field or Subject Alternative Names field.
• The host header's domain name for incoming viewer host headers that are forwarded to the origin in the CloudFront distribution.

To check for the Common Name and Subject Alternative Names in the certificate, run the following command:

$ openssl s_client -connect DOMAIN:443 -servername SERVER_DOMAIN | openssl x509 -text | grep -E '(CN|Alternative)' -A 2

Note: For DOMAIN, enter the origin domain name. For SERVER_DOMAIN enter the origin domain name. Or, if the viewer host header is forwarded to the origin), for SERVER_DOMAIN, enter the incoming host header value.

If the following are true, then configure the cache policy or origin request policy to include the host header:

1. The SSL certificate's common name or subject alternate name (SAN) includes the viewer host header value.
2. The host header is not forwarded to the origin.

Origin Certificate is expired, not trusted, or self-signed

The certificate installed the custom origin must be signed by a trusted Certificate Authority. The certificate authorities trusted by CloudFront are found on the Mozilla included CA certificate list on the Mozilla website.

CloudFront doesn't support self-signed certificates for SSL set up with the origin. Self-signed certificates are issued by the organizations themselves or generated locally on a web-server instead of being issued by a trusted Certificate Authority.

To check if your origin certificate is expired, run the following OpenSSL command. In the output, find the Not Before and Not After parameters. Confirm that the current date and time is within the certificate's validity period.

$ openssl s_client -connect DOMAIN:443 -servername SERVER_DOMAIN | openssl x509 -text | grep Validity -A 3

Note: For DOMAIN, enter the origin domain name. For SERVER_DOMAIN enter the origin domain name. Or, if the viewer host header is forwarded to the origin), for SERVER_DOMAIN, enter the incoming host header value.

Missing intermediate CA certificates or the incorrect order of intermediate certificates causes failure between HTTPS communication and the origin. To check the certificate chain, run the following command.

$ openssl s_client -showcerts -connect DOMAIN:443 -servername SERVER_DOMAIN

Note: For DOMAIN, enter the origin domain name and for SERVER_DOMAIN enter the origin domain name. Or, if the viewer host header is forwarded to the origin), for SERVER_DOMAIN, enter the incoming host header value.

The origin's cipher suit isn't supported by CloudFront

SSL/TLS transactions between CloudFront and Origin fail if there is no common negotiated ciphers suite. To confirm you're using the correct cipher suite, see Supported protocols and ciphers between CloudFront and the origin.

You can also use an SSL server test tool to check if your origin domain name is included on the list of supported ciphers.

CloudFront can't resolve the origin IP address

If CloudFront can't resolve the origin domain, then it returns 502 error. To troubleshoot this, use a dig/nslookup command to check if the origin domain resolves to an IP.

Linux:

$ dig ORIGIN_DOMAIN_NAME

Windows:

nslookup ORIGIN_DOMAIN_NAME

Note: For ORIGIN_DOMAIN_NAME, enter the origin domain name.

If successful, then the command returns the IP of the origin domain name. Use a DNS checker tool to check for DNS resolution across different geographies.

The error is caused by upstream origin

The custom origin defined in the CloudFront distribution can be a proxy, Content Delivery Network (CDN) hostname, or load balancer connected to the actual origin. If any of these intermediary services fails to connect to the origin, then a 502 error is returned to CloudFront. To resolve this, work with your service provider.

The Lambda@Edge function associated with the CloudFront distribution failed validation

If the Lambda@Edge function returns a response to CloudFront that's not valid, then CloudFront returns a 502 error. To resolve this, check your Lambda@Edge function for the following common issues:

• Returned JSON object
• Missing required fields
• Invalid object in the response
• Adding or updating disallowed or read-only headers
• Exceeding the maximum body size
• Characters or values that aren't valid

For more information, see Testing and debugging Lambda@Edge functions.

---