Best IT Recipes

CloudFront Error While Serving HTTPS Using SNI

Amazon recently released the new CloudFront feature, which supports custom SSL certificates for free using SNI (Server Name Indicication).

I got my distro with a free Class 1 certificate from StartSSL, and it worked when I noticed that the site would work shortly after it was deployed. Running SSL Checker returns that my certificate is working correctly:

SSL check

But then I would hit this page with an error when trying to access the site via HTTPS (it will work for the first request, and then go down with subsequent connection attempts).

CF error

Here's the detailed output when accessing using ssl (succeeding in index):

$ curl -I -v -ssl https://wikichen.is * Adding handle: conn: 0x7f9f82804000 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x7f9f82804000) send_pipe: 1, recv_pipe: 0 * About to connect() to wikichen.is port 443 (#0) * Trying 54.230.141.222... * Connected to wikichen.is (54.230.141.222) port 443 (#0) * TLS 1.2 connection using TLS_RSA_WITH_RC4_128_MD5 * Server certificate: www.wikichen.is (6w984WNu7vM5OrdU) * Server certificate: StartCom Class 1 Primary Intermediate Server CA * Server certificate: StartCom Certification Authority > HEAD / HTTP/1.1 > User-Agent: curl/7.30.0 > Host: wikichen.is > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < Content-Length: 1153 Content-Length: 1153 < Connection: keep-alive Connection: keep-alive < Date: Sun, 09 Mar 2014 16:09:54 GMT Date: Sun, 09 Mar 2014 16:09:54 GMT < Cache-Control: max-age=120 Cache-Control: max-age=120 < Content-Encoding: gzip Content-Encoding: gzip < Last-Modified: Wed, 05 Mar 2014 20:40:48 GMT Last-Modified: Wed, 05 Mar 2014 20:40:48 GMT < ETag: "34685bc45353d1030d3a515ddba78f3e" ETag: "34685bc45353d1030d3a515ddba78f3e" * Server AmazonS3 is not blacklisted < Server: AmazonS3 Server: AmazonS3 < Age: 4244 Age: 4244 < X-Cache: Hit from cloudfront X-Cache: Hit from cloudfront < Via: 1.1 4f672256eaca5524999342dc8678cdd2.cloudfront.net (CloudFront) Via: 1.1 4f672256eaca5524999342dc8678cdd2.cloudfront.net (CloudFront) < X-Amz-Cf-Id: h4TEULH44TCi7m2lL42A8lO-5-Gmx8iY2M2C1AOmRlK543zFN6jCtQ== X-Amz-Cf-Id: h4TEULH44TCi7m2lL42A8lO-5-Gmx8iY2M2C1AOmRlK543zFN6jCtQ== < * Connection #0 to host wikichen.is left intact

Then it crashes on other pages:

 $ curl -i -v https://wikichen.is/writing/index.html * Adding handle: conn: 0x7fa153804000 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x7fa153804000) send_pipe: 1, recv_pipe: 0 * About to connect() to wikichen.is port 443 (#0) * Trying 54.230.140.160... * Connected to wikichen.is (54.230.140.160) port 443 (#0) * TLS 1.2 connection using TLS_RSA_WITH_RC4_128_MD5 * Server certificate: www.wikichen.is (6w984WNu7vM5OrdU) * Server certificate: StartCom Class 1 Primary Intermediate Server CA * Server certificate: StartCom Certification Authority > GET /writing/index.html HTTP/1.1 > User-Agent: curl/7.30.0 > Host: wikichen.is > Accept: */* > < HTTP/1.1 502 Bad Gateway HTTP/1.1 502 Bad Gateway < Content-Type: text/html Content-Type: text/html < Content-Length: 472 Content-Length: 472 < Connection: keep-alive Connection: keep-alive * Server CloudFront is not blacklisted < Server: CloudFront Server: CloudFront < Date: Sun, 09 Mar 2014 17:54:41 GMT Date: Sun, 09 Mar 2014 17:54:41 GMT < Age: 6 Age: 6 < X-Cache: Error from cloudfront X-Cache: Error from cloudfront < Via: 1.1 9096435f28f91f92bacdf76122de09ee.cloudfront.net (CloudFront) Via: 1.1 9096435f28f91f92bacdf76122de09ee.cloudfront.net (CloudFront) < X-Amz-Cf-Id: iAUOQbP8O4A0pI9KGvVz0VgBT1TW-j0yVDa7vdSvIAuxnKOyQghtnw== X-Amz-Cf-Id: iAUOQbP8O4A0pI9KGvVz0VgBT1TW-j0yVDa7vdSvIAuxnKOyQghtnw== < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>ERROR: The request could not be satisfied</TITLE> </HEAD><BODY> <H1>ERROR</H1> <H2>The request could not be satisfied.</H2> <HR noshade size="1px"> </BODY></HTML> <BR clear="all"> <HR noshade size="1px"> <ADDRESS> Generated by cloudfront (CloudFront) </ADDRESS> * Connection #0 to host wikichen.is left intact </BODY></HTML>%

It would hit some pointers as to where to start troubleshooting.

+21
amazon-web-services amazon-cloudfront ssl-certificate
Mar 09 '14 at 12:24
source share
2 answers

A good spokesperson named Alastair @AWS from the AWS CloudFront forums solved this for me:

I defined your CloudFront distribution and the S3 bucket as the source for this distribution.

I can recreate and explain the intermittent "502 Bad Gateway", the answer you get.

This response is returned by CloudFront when trying to access the URL using the HTTPS protocol, which is not currently cached by CloudFront. The reason for this error is that CloudFront is trying to contact your source using the HTTPS protocol and this does not work.

The reason for this failure is that you configured your origin as S3, but you use the "Custom Origin" type and direct the S3 site URL for this bucket. If you try to hit your S3 site URL using HTTPS, you will notice that this does not work. The S3 hosting site only supports serving content using the HTTP protocol ( http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff ).

Now the discontinuous page load behavior that you see, CloudFront returns the pages that are currently stored in the cache. You should be able to recreate this scenario as follows:

  • Click a page on your site using HTTPS. You must return the "502 Bad Gateway" error.
  • Click on the same page using HTTP. You should see the page.
  • Click the page again using HTTPS. Now you should get the expected result, since CF served the content from its cache, rather than trying to contact your origin.

To resolve this issue, try the following:

  • Open the CloudFront management console and open your distribution.
  • Go to the "Origins" tab, select the beginning and click "Change"
  • Change the Origin Protocol policy to HTTP only.
  • Save the changes and wait about 15 minutes for the changes to take effect.
  • Test

My expectation is this will force CloudFront to contact your origin using only HTTP. I tested this in my environment using S3 Website Hosting, and I can successfully upload content through both HTTP and HTTPS.

Here is a link to the original forum topic .

+49
Mar 10 '14 at 7:55
source

I had a similar problem with this, and as @ Michael-sqlbot suggested, switching from user origin to S3. This alone did not solve the problem.

In addition to switching the source, Andrew from AWS support said that aliases work better than CNAME. I used CNAME. When I switched to aliases (one for IPv4 and one for IPv6), it worked. Here is Route 53 Documentation for CloudFront , which shows how to configure aliases for CloudFront.

0
Dec 22 '16 at 18:59
source


More articles:


All Articles