Why does the HTTPS connection between my CloudFront distribution and load balancer fail?
Last updated: 2023-01-11
I have HTTPS and HTTP listeners configured on my Classic Load Balancer or Application Load Balancer as the origin for my Amazon CloudFront distribution. The HTTPS communication between CloudFront and my load balancer fails. I want to resolve the HTTPS communication issues.
The HTTPS communication failure might be caused by issues with the associated SSL certificate, security groups, or network access control list (ACL). Be sure that your distribution and load balancer meet the following security requirements:
- You must have a valid SSL certificate installed on the load balancer. If you're still getting HTTPS errors after installing an SSL certificate, troubleshoot the SSL connection between CloudFront and the custom origin server.
- If your CloudFront distribution connects to your load balancer on port 443, then the security groups associated with your load balancer must allow traffic on port 443 from CloudFront IP addresses. For more information on updating security groups, see Configure security groups for your Classic Load Balancer or Security groups for your Application Load Balancer. To allow only CloudFront IP addresses in security group attached to your distribution, use the AWS managed prefix list. This list contains all CloudFront IP addresses and is updated automatically if there are any changes in IP addresses. For more information, see Limit access to your origins using the AWS managed prefix list for Amazon CloudFront.
- The network ACLs associated with your load balancer's Amazon Virtual Private Cloud (Amazon VPC) must allow traffic from CloudFront on HTTPS ports (typically port 443).
Note: Application Load Balancers support multiple TLS certificates with smart selection using Server Name Indication (SNI). If your CloudFront distribution caches based on the host header, then verify that the Application Load Balancer has a TLS certificate configured with the same name. Otherwise, the Application Load Balancer offers its default certificate, which might not match the SNI associated with the ClientHello message from CloudFront.