更新过期的SSL证书后，为什么AWS CloudFront不再交付资产？ [英] Why is AWS CloudFront no longer delivering assets after I updated an expired SSL certificate?

问题描述

在EC2服务器上运行的Apache网站之前，我们将AWS CloudFront用作CDN。该网站使用SSL（https），并且CloudFront配置为使用默认的CloudFront证书，因此我们的应用程序使用 https://xxxxxxcloudfront.net/path/to/asset ，而不是 https://ourdomain.com/path/to/asset 。

We use AWS CloudFront as our CDN in front of an Apache website running on an EC2 server. The website uses SSL (https) and CloudFront is configured to use the default CloudFront certificate, so our application loads static assets using https://xxxxxxcloudfront.net/path/to/asset, rather than https://ourdomain.com/path/to/asset.

我们的SSL证书， Go Daddy的问题，昨天过期。在Web服务器上安装新证书后，CloudFront似乎不再能够交付任何资产。它只是返回502错误，并显示消息 CloudFront无法连接到源。

Our SSL certificate, issues by Go Daddy, expired yesterday. After installing a new certificate on the web server, CloudFront no longer seems able to deliver any assets. It is simply returning a 502 error with the message CloudFront wasn't able to connect to the origin.

Apache日志似乎没有表明新证书的任何问题，当我访问该站点时，我可以看到绿色的小锁图标，并且不再看到有关无效证书的任何警告。此外，如果我尝试直接使用 https://ourdomain.com/path/to/asset 从我们的Web服务器加载资产，而不是CloudFront URL，则该资产似乎没有任何问题。

The Apache logs don't seem to indicate any problems with the new certificate, when I visit the site I can see the little green lock icon and I no longer see any warnings about an invalid certificate. Further, if I try to load the assets directly from our webserver, using https://ourdomain.com/path/to/asset, instead of the CloudFront URL, the assets seem to load without any problems.

我不记得上次更换证书时对CloudFront进行过任何操作。更新网络服务器的SSL证书后，CloudFront中是否需要更新某些内容？有关寻找什么的任何提示？

I don't recall doing anything with CloudFront the last time we replaced a certificate. Is there something that needs to be updated in CloudFront when the webserver's SSL certificate gets updated? Any tips on what to look for?

推荐答案

我能够解决此问题！

安装Go Daddy提供的证书后，中间链出现问题。 Go Daddy默认提供的证书链文件包括根目录。 CloudFront认为这是一个问题，因此不会连接到源。我下载并安装了没有根目录的证书链，一切再次恢复正常。

After installing the certificates provided by Go Daddy there was an issue with the intermediate chain. The certificate chain file Go Daddy provides by default includes the root. CloudFront sees that as a problem and will not connect to the origin. I downloaded and installed the certificate chain without the root and everything started working again.

感谢@ error2007s和@ michael-sqlbot的帮助！

Thanks to @error2007s and @michael-sqlbot for their help!

这篇关于更新过期的SSL证书后，为什么AWS CloudFront不再交付资产？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！