amazon-cloudfrontaws-application-load-balancer

502 between cloudfront and elb (AWS)

  1. I have set up an EC2 with WordPress installed on it. It listens on port 80.

  2. I have created an Application-load-balancer on top of it, and used ACM and created a certificate (signed by Amazon), and created an HTTPS listener that forwards it from 443 to 80 on the (1) ec2. The listener uses ELBSecurityPolicy-TLS-1-2-Ext-2018-06 as the security policy.

  3. I configured a route53 A rule from the domain to the ELB. This works perfectly.

  4. After that I tried to create a Cloudfront distribution - supporting HTTPS only with the correct CN name and a custom certificate (the same cert used in (2)).

  5. I get the infamous 502.

  6. I read a ton of posts about trying to resolve it... and followed this working example to the teeth - https://www.youtube.com/watch?v=9O2bqYqySEY. Nothing works for me. I still get the 502 error

  7. I used openssl (openssl s_client -connect mydomain:443) to try and make sense of it - I get


---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5479 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
closed

What strikes me as weird is that it used TLSv1.3 (which I know AWS only added a few months ago).

BTW, when I tried to run the same openssl on the working situation (stage 3) - I saw that it was using TLSv1.2 when it was working.

I also tried to find an option to forcefully get Cloudfront to use TLSv1.2, but I couldn't.

I know many people asked about this topic - yet, I think this is a new issue since v1.3 was added recently and non of the other answers helped.

Any advice? Thank you

Solution

  • Ok - turns out problem was around the ELB's security policy. i didn't have it configured to be ELBSecurityPolicy-TLS-1-2-Ext-2018-06 (but rather the default) at the beginning. Then I switched it to be ELBSecurityPolicy-TLS-1-2-Ext-2018-06...

    But didn't see any change. After a few hours where I had given up, I checked it again and this worked - so I am guessing it needed some time / caching.

    All works fine now.