问题
We use AWS CloudFront as our CDN in front of an Apache website running on an EC2 server. The website uses SSL (https) and CloudFront is configured to use the default CloudFront certificate, so our application loads static assets using https://xxxxxxcloudfront.net/path/to/asset, rather than https://ourdomain.com/path/to/asset.
Our SSL certificate, issues by Go Daddy, expired yesterday. After installing a new certificate on the web server, CloudFront no longer seems able to deliver any assets. It is simply returning a 502 error with the message CloudFront wasn't able to connect to the origin.
The Apache logs don't seem to indicate any problems with the new certificate, when I visit the site I can see the little green lock icon and I no longer see any warnings about an invalid certificate. Further, if I try to load the assets directly from our webserver, using https://ourdomain.com/path/to/asset, instead of the CloudFront URL, the assets seem to load without any problems.
I don't recall doing anything with CloudFront the last time we replaced a certificate. Is there something that needs to be updated in CloudFront when the webserver's SSL certificate gets updated? Any tips on what to look for?
回答1:
I was able to resolve this issue!
After installing the certificates provided by Go Daddy there was an issue with the intermediate chain. The certificate chain file Go Daddy provides by default includes the root. CloudFront sees that as a problem and will not connect to the origin. I downloaded and installed the certificate chain without the root and everything started working again.
Thanks to @error2007s and @michael-sqlbot for their help!
来源:https://stackoverflow.com/questions/38710027/why-is-aws-cloudfront-no-longer-delivering-assets-after-i-updated-an-expired-ssl