CloudFront无法连接到源 [英] CloudFront wasn't able to connect to the origin

查看:4001
本文介绍了CloudFront无法连接到源的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我已经通过http正确设置了Cloudfront。它从我的网站(dev.pie.video)获取数据很好。我现在转向https。在 https://dev.pie.video 上工作正常,但Cloudfront无法为任何内容提供服务。
例如



原产地:





行为:






====编辑2 ====



如果这有用,我从云端获取的日志看起来像

 < timestamp> SFO20 924 96.90.217.130 GET d1mbpc40mdbs3p.cloudfront.net /favicon-96x96.png 502  - < someInfoOnTheClientBrowser> 2  - 错误poZyhl63JNGFk8dIIjCluGDm4dxF8EdMZFhjg82NgHGPNqcmx6ArHA == d1mbpc40mdbs3p.cloudfront.net https 494 0.002  -  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256错误HTTP / 1.1


解决方案

您的源服务器未正确配置SSL。 CloudFront需要有效的配置,并且可能比某些浏览器更严格 - 因此浏览器中的绿色锁定并不一定意味着您的SSL设置已完成且与所有客户端普遍兼容。

  $ true | openssl s_client -connect dev.pie.video:443 -showcerts 
 CONNECTED(00000003)
 depth = 0 OU =域控制验证,CN = dev.pie.video 
验证错误:num = 20:无法获得本地颁发者证书
验证返回:1 
深度= 0 OU =域控制验证,CN = dev.pie.video 
验证错误:num = 27:证书不可信
验证返回:1 
深度= 0 OU =域控制验证,CN = dev.pie.video 
验证错误:num = 21:无法验证第一个证书
验证返回:1 
 --- 
证书链
 0 s:/ OU =域控制验证/ CN = dev.pie.video 
i:/ C = US / ST = Arizona /L=Scottsdale/O=GoDaddy.com,Inc ./OU=http://certs.godaddy.com/repository//CN=Go爸爸安全证书颁发机构 -  G2 
 ----- BEGIN CERTIFICATE- ---- 
 MIIFMzCCBBugAwIBAgIJAL96wtFpu1ZpMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD 
 VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa 
 MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0 
 cy5nb2RhZ GR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj 
 dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE2MDgwODE4MzQ0MFoX 
 DTE3MDgwODE4MzQ0MFowOzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh 
 dGVkMRYwFAYDVQQDEw1kZXYucGllLnZpZGVvMIIBIjANBgkqhkiG9w0BAQEFAAOC 
 AQ8AMIIBCgKCAQEAz / wT5j / zHKzmt3oRvst74Knqxc0pl3sp5imUJ7UegoxcTISm 
 xJC5qQiDsD0U08kAFxvXDd91jlozh4QDcfLE8N7X9fsxC7OW2pDv3ks / LO7tiCxn 
 gNmxjvYvOQ / vASrLHIal + oGWJNdBMB1eckV4xHCeBDDEizDneq / qvjN0M0k5hQ + / 
 qk7RjVhJUmFAfvhXpxXaCbVDq1d3V1iRBo3oP3SGV + + BJ / m55QPFfKCZqGPTiM5G 
 C9 + 8ru16EVCpvs0wCWBVxjTiOCGtrMLgvp9LOs8AN369Yk / 3AynpgAI0DDhb5y8I 
 KEuCdbUaIg5Zo029iZz4nWRsZFd5CSwgX8tZNQIDAQABo4IBvjCCAbowDAYDVR0T 
 AQH / BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH / 
 BAQDAgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRkeS5jb20v 
 Z2RpZzJzMS0yODIuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3Bggr 
 BgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0 
 b3J5LzAIBgZngQwBAgEwdgYIKwYBB QUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRw 
 Oi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZp 
 Y2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgw 
 FoAUQMK9J47MNIMwojPX + 2yz8LQsgM4wKwYDVR0RBCQwIoINZGV2LnBpZS52aWRl 
 b4IRd3d3LmRldi5waWUudmlkZW8wHQYDVR0OBBYEFEPW + uDOOtZfUEdXuBs + 960 
 zQRKMA0GCSqGSIb3DQEBCwUAA4IBAQBLkLYJEc9E + IGv6pXaPCcYowJfji651Ju6 
 3DNzGXdyWfOXG + UVCMtPZuC9J66dID4Rc7HWzLveTPEI32z4IgtSjvRwRk9YyWVx 
 uCOpsP3e / Vgriwg5ds4NyrelQfshA3KaiTLohuiVEOBZgZgIwBEmwR2ZNFuL375E 
 uEn909zF9 + sGkTbFnMm1zlqB2oh2UlSkUT3mj009vWF416W6kZQdFFFEmaI8uSmo 
 + Thd8HSxQytzWvB3dR4lCteiC09lkQPHU5t10tPgK9BtkLv05ICQQoDhFJmLeAcC 
 WNEmCcDnSHPxXjPi8kcyM6aqNofL1D0e1pYYvcpYQQDayWdY3tUh 
 ----- END CERTIFICATE ----- 
 --- 
服务器证书
受= / OU =域控制验证/ CN = dev.pie.video 
 issuer = / C = US / ST = Arizona / L = Scottsdale / O = GoDaddy.com,Inc。/ OU = http://certs .godaddy.com / repository // CN = Go Daddy安全证书颁发机构 -  G2 
 --- 
没有客户证书CA名称发送
 --- 
 SSL握手已读取2010字节并写入431字节
 --- 
新增,TLSv1 / SSLv3 ,Cipher是ECDHE-RSA-AES128-GCM-SHA256 
服务器公钥是2048位
 ...剪辑...

您的证书是由Go Daddy安全证书颁发机构 - G2签署的,这是一个中间证书(不是root用户),并且您的服务器上没有安装该中间证书 - 因此,CloudFront报告它无法连接,实际上它更准确地不愿意连接,作为安全预防措施,因为它无法验证SSL证书的有效性。您应该在Web服务器的日志中将这些视为SSL协商失败。连接本身正在运行,但由于信任问题,CloudFront认为它无效,因此使用起来不安全。


警告



如果源服务器返回过期证书,无效证书或自签名证书,或者原始服务器返回错误的证书链顺序,CloudFront删除TCP连接,返回HTTP错误代码502,并将 X-Cache 标头设置为来自cloudfront的错误



http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html


添加您的中间证书到您的服务器配置,您应该设置。这应该在您下载时与证书捆绑在一起,但如果没有,可以在这种情况下从您的CA,Go Daddy获取。



这不是Go Daddy证书特有的限制。遵循标准惯例的所有CA都使用中间证书来建立信任链回到受信任的根。



另请参阅:



https://www.godaddy.com/help /什么是中间证书-868



https://certs.godaddy.com/repository


I had set up Cloudfront correctly over http. It fetched data from my website (dev.pie.video) fine. I'm now moving to https. Things are working fine at https://dev.pie.video but Cloudfront is unable to server any content. For instance https://dev.pie.video/favicon-96x96.png works but https://d1mbpc40mdbs3p.cloudfront.net/favicon-96x96.png fails with status 502, even though my Cloudfront distribution d1mbpc40mdbs3p points to dev.pie.video.

More details if that's helpful:

  • d1mbpc40mdbs3p.cloudfront.net uses the default CloudFront Certificate for https
  • the cloudfront distribution's origin is set to work over SSL and TLS, and to use the viewer's protocol.

===== Edit 1 =====

screenshots of the cloudfront settings:

General:

Origin:

Behaviors:

==== Edit 2 ====

if that's helpful, the logs I'm getting from cloudfront look like

<timestamp> SFO20   924 96.90.217.130   GET d1mbpc40mdbs3p.cloudfront.net   /favicon-96x96.png  502 -   <someInfoOnTheClientBrowser>    2   -   Error   poZyhl63JNGFk8dIIjCluGDm4dxF8EdMZFhjg82NgHGPNqcmx6ArHA==    d1mbpc40mdbs3p.cloudfront.net   https   494 0.002   -   TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Error   HTTP/1.1

解决方案

Your origin server is incorrectly configured for SSL. CloudFront requires a valid configuration, and may be more stringent than some browsers -- so a green lock in the browser doesn't necessarily mean your SSL setup is complete and universally compatible with all clients.

$ true | openssl s_client -connect dev.pie.video:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = dev.pie.video
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = dev.pie.video
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = dev.pie.video
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=dev.pie.video
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIFMzCCBBugAwIBAgIJAL96wtFpu1ZpMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE2MDgwODE4MzQ0MFoX
DTE3MDgwODE4MzQ0MFowOzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRYwFAYDVQQDEw1kZXYucGllLnZpZGVvMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAz/wT5j/zHKzmt3oRvst74Knqxc0pl3sp5imUJ7UegoxcTISm
xJC5qQiDsD0U08kAFxvXDd91jlozh4QDcfLE8N7X9fsxC7OW2pDv3ks/LO7tiCxn
gNmxjvYvOQ/vASrLHIal+oGWJNdBMB1eckV4xHCeBDDEizDneq/qvjN0M0k5hQ+/
qk7RjVhJUmFAfvhXpxXaCbVDq1d3V1iRBo3oP3SGV++bj/m55QPFfKCZqGPTiM5G
c9+8ru16EVCpvs0wCWBVxjTiOCGtrMLgvp9LOs8AN369Yk/3AynpgAI0DDhb5y8I
KEuCdbUaIg5Zo029iZz4nWRsZFd5CSwgX8tZNQIDAQABo4IBvjCCAbowDAYDVR0T
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/
BAQDAgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRkeS5jb20v
Z2RpZzJzMS0yODIuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3Bggr
BgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0
b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZp
Y2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgw
FoAUQMK9J47MNIMwojPX+2yz8LQsgM4wKwYDVR0RBCQwIoINZGV2LnBpZS52aWRl
b4IRd3d3LmRldi5waWUudmlkZW8wHQYDVR0OBBYEFEPW+uDOOtZfUEdXuBs+960C
zQRKMA0GCSqGSIb3DQEBCwUAA4IBAQBLkLYJEc9E+IGv6pXaPCcYowJfji651Ju6
3DNzGXdyWfOXG+UVCMtPZuC9J66dID4Rc7HWzLveTPEI32z4IgtSjvRwRk9YyWVx
uCOpsP3e/Vgriwg5ds4NyrelQfshA3KaiTLohuiVEOBZgZgIwBEmwR2ZNFuL375E
uEn909zF9+sGkTbFnMm1zlqB2oh2UlSkUT3mj009vWF416W6kZQdFFFEmaI8uSmo
+Thd8HSxQytzWvB3dR4lCteiC09lkQPHU5t10tPgK9BtkLv05ICQQoDhFJmLeAcC
WNEmCcDnSHPxXjPi8kcyM6aqNofL1D0e1pYYvcpYQQDayWdY3tUh
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=dev.pie.video
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 2010 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
...clipped...

Your certificate is signed by "Go Daddy Secure Certificate Authority - G2" which is an intermediate certificate (not a root), and you don't have that intermediate certificate installed on your server -- so CloudFront reports that it is "unable" to connect, when in fact it is more accurately "unwilling" to connect, as a security precaution, because it can't verify the validity of your SSL certificate. You should see these as SSL negotiation failures in your web server's log. The connection itself is working, but CloudFront considers it invalid, and therefore unsafe to use, due to the trust issue.

Caution

If the origin server returns an expired certificate, an invalid certificate or a self-signed certificate, or if the origin server returns the certificate chain in the wrong order, CloudFront drops the TCP connection, returns HTTP error code 502, and sets the X-Cache header to Error from cloudfront.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html

Add your intermediate certificate to your server configuration, and you should be set. This should have been bundled with the cert when you downloaded it, but if not, it can be obtained from your CA, Go Daddy in this case.

This is not a limitation specific to Go Daddy certificates. All CAs that follow standard practice use intermediate certificates to establish a chain of trust back to a trusted root.

See also:

https://www.godaddy.com/help/what-is-an-intermediate-certificate-868

https://certs.godaddy.com/repository

这篇关于CloudFront无法连接到源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆