Bobcares

CloudFront wasn’t able to connect to the origin – How to fix

by | Jul 27, 2021

CloudFront wasn’t able to connect to the origin? We can help you.

At Bobcares we assist our customers with several AWS queries as part of our AWS Support Services for AWS users, and online service providers.

Today, let us see how our Support Techs resolve this CloudFront issue.

 

CloudFront wasn’t able to connect to the origin

HTTP 502 errors from CloudFront can occur because of the following reasons:

  • Firstly, there’s an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren’t support by CloudFront.
  • There’s an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid.
  • There’s a host header mismatch in the SSL negotiation between your CloudFront distribution and the custom origin.
  • The custom origin isn’t responding on the ports specified in the origin settings of the CloudFront distribution.
  • The custom origin is ending the connection to CloudFront too quickly.

Today, let us see the steps followed by our Support techs to resolve it in each scenarios.

SSL/TLS Negotiation Failure Between CloudFront and a Custom Origin Server

If you use a custom origin and you configured CloudFront to require HTTPS between CloudFront and your origin, the problem might mismatch of domain names.

The SSL/TLS certificate that is installed on your origin includes a domain name in the Common Name field and possibly several more in the Subject Alternative Names field.

One of the domain names in the certificate must match one or both of the following values:

  • The value that you specified for Origin Domain Name for the applicable origin in your distribution.
  • The value of the Host header if you configured CloudFront to forward the Host header to your origin.

If the domain names don’t match, the SSL/TLS handshake fails, and CloudFront returns an HTTP status code 502 (Bad Gateway) and sets the X-Cache header to Error from cloudfront.

To determine whether domain names in the certificate match the Origin Domain Name in the distribution or the Host header, you can use an online SSL checker or OpenSSL.

If the domain names don’t match, you have two options:

  • Firstly, get a new SSL/TLS certificate that includes the applicable domain names.

If you use AWS Certificate Manager (ACM), see Request a Certificate in the AWS Certificate Manager User Guide to request a new certificate.

  • Secondly, change the distribution configuration so CloudFront no longer tries to use SSL to connect with your origin.

 

Online SSL Checker

To find an SSL test tool, search the internet for “online ssl checker.”

You specify the name of your domain, and the tool returns a variety of information about your SSL/TLS certificate.

Confirm that the certificate contains your domain name in the Common Name or Subject Alternative Names fields.

 

OpenSSL

You can use OpenSSL to try to make an SSL/TLS connection to your origin server.

If OpenSSL is not able to make a connection, that can indicate a problem with your origin server’s SSL/TLS configuration.

If OpenSSL is able to make a connection, it returns information about the origin server’s certificate, including the certificate’s common name and subject alternative name.

Use the following OpenSSL command to test the connection to your origin server (replace origin domain name with your origin server’s domain name, such as example.com):

openssl s_client -connect origin domain name:443

If the following are true:

  • Firstly, your origin server supports multiple domain names with multiple SSL/TLS certificates
  • Your distribution is configured to forward the Host header to the origin

Then add the -servername option to the OpenSSL command, as in the following example:

openssl s_client -connect origin domain name:443 -servername CNAME

 

Origin Is Not Responding with Supported Ciphers/Protocols

Usually, cloudFront connects to origin servers using ciphers and protocols.

For a list of the ciphers and protocols that CloudFront supports, see Supported Ciphers and Protocols.

If your origin does not respond with one of these ciphers or protocols in the SSL/TLS exchange, CloudFront fails to connect.

You can validate that your origin supports the ciphers and protocols by using SSL Labs:

SSL Labs
  • Type the domain name of your origin in the Hostname field, and then choose Submit.
  • Review the Common names and Alternative names fields from the test to see if they match your origin’s domain name.
  • After the test is finished, find the Protocols and Cipher Suites sections in the test results to see which ciphers or protocols are supported by your origin.
  • Finally, compare them with the list of Supported Ciphers and Protocols.

 

SSL/TLS Certificate on the Origin Is Expired, Invalid, Self-signed, or the Certificate Chain Is in the Wrong Order

If the origin server returns the following, CloudFront drops the TCP connection, returns HTTP status code 502 (Bad Gateway), and sets the X-Cache header to Error from cloudfront:

  • An expired certificate
  • Invalid certificate
  • Self-signed certificate
  • Certificate chain in the wrong order

 

Origin Is Not Responding on Specified Ports in Origin Settings

When you create an origin on your CloudFront distribution, you can set the ports that CloudFront connects to the origin with for HTTP and HTTPS traffic.

By default, these are TCP 80/443. You have the option to modify these ports.

If your origin is rejecting traffic on these ports for any reason, or if your backend server isn’t responding on the ports, CloudFront will fail to connect.

To troubleshoot these issues, check any firewalls running in your infrastructure and validate that they are not blocking the supported IP ranges.

For more information, see AWS IP Address Ranges in the Amazon Web Services General Reference.

Additionally, verify whether your web server is running on the origin.

 

CloudFront Was Not Able to Resolve Your Origin Domain Due to DNS Issues

When CloudFront receives a request for an object that is expired or is not stored in its cache, it makes a request to the origin to get the updated object.

To make a successful request to the origin, CloudFront performs a DNS resolution on the origin domain name.

However, when the DNS service that hosts your domain is experiencing issues, CloudFront cannot resolve the domain name to get the IP address, resulting in a 502 error.

To fix this issue, contact your DNS provider.

To further troubleshoot this issue, ensure that the authoritative name servers of your origin’s root domain or zone apex are functioning correctly.

Your authoritative name servers then receive the request and return the IP address that is associated with the domain, and are the same as the DNS servers that you used to set up your CloudFront distribution.

Use the following commands to find the name servers for your apex origin:

dig OriginAPEXDomainName NS +short nslookup -query=NS OriginAPEXDomainName

When you have the names of your name servers, use the following commands to query the domain name of your origin against them to make sure that each responds with an answer:

dig OriginDomainName @NameServerFromAbove
nslookup OriginDomainName NameServerFromAbove

 

Lambda@Edge Function Validation Errors

If you’re using Lambda@Edge.

An HTTP 502 status code can indicate that your Lambda function response was in incorrect form or included invalid content.

 

[Need assistance with CloudFront? We are available 24*7]

Conclusion

Today, we saw how our Support Techs resolved CloudFront wasn’t able to connect to the origin.

 

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF