Troubleshooting Cloudfront with HTTPS using SNI

Question

I am having a problem similar but not identical to the problem in CloudFront error when serving over HTTPS using SNI. My domain is cartasblogatorias.com, and the Cloudfront URL is d2nmvk8sd34zkj.cloudfront.net. I have a CNAME pointing cdn.cartasblogatorias.com at the Cloudfront URL:

$ dig cdn.cartasblogatorias.com CNAME
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> cdn.cartasblogatorias.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20775
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;cdn.cartasblogatorias.com. IN  CNAME

;; ANSWER SECTION:
cdn.cartasblogatorias.com. 300  IN  CNAME   d2nmvk8sd34zkj.cloudfront.net.

My website is HTTPS-only, and I have set up the Cloudfront distribution for HTTPS only, too. I have successfully uploaded a new certificate to IAM. The certificate checks out--here are the SSL Labs results: https://www.ssllabs.com/ssltest/analyze.html?d=cdn.cartasblogatorias.com&s=54.230.34.152&hideResults=on.

If I try to retrieve a document from Cloudfront, I get a Bad Gateway error. Here is an example.

$ curl -v -i https://cdn.cartasblogatorias.com/wp-content/themes/blogatory2013/style.css
* About to connect() to cdn.cartasblogatorias.com port 443 (#0)
*   Trying 54.230.49.87...
* connected
* Connected to cdn.cartasblogatorias.com (54.230.49.87) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: OU=Domain Control Validated; OU=PositiveSSL; CN=cdn.cartasblogatorias.com
*    start date: 2014-11-11 00:00:00 GMT
*    expire date: 2015-11-11 23:59:59 GMT
*    subjectAltName: cdn.cartasblogatorias.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*    SSL certificate verify ok.
> GET /wp-content/themes/blogatory2013/style.css HTTP/1.1
> User-Agent: curl/7.26.0
> Host: cdn.cartasblogatorias.com
> Accept: */*
> 
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 502 Bad Gateway
HTTP/1.1 502 Bad Gateway
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 538
Content-Length: 538
< Connection: keep-alive
Connection: keep-alive
< Server: CloudFront
Server: CloudFront
< Date: Wed, 12 Nov 2014 23:31:49 GMT
Date: Wed, 12 Nov 2014 23:31:49 GMT
< X-Cache: Error from cloudfront
X-Cache: Error from cloudfront
< Via: 1.1 d4222c62b25c473e3144101cac9e476a.cloudfront.net (CloudFront)
Via: 1.1 d4222c62b25c473e3144101cac9e476a.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: 8FfTtqnpL3SKc1o4yfcJxHxlHE6_XA40wslC8wmanU1sDPcuBBTzTw==
X-Amz-Cf-Id: 8FfTtqnpL3SKc1o4yfcJxHxlHE6_XA40wslC8wmanU1sDPcuBBTzTw==

< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: gb2PWX0fp0WLPIWchwZu0s5RZOi5OnkJKfaDXjCiOMySxM3MzcJGXg==
</PRE>
<ADDRESS>
</ADDRESS>
* Connection #0 to host cdn.cartasblogatorias.com left intact
</BODY></HTML>* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

If I try this using the cloudfront URL instead of the CNAME, I get a 403 error instead of a 502 error.

$ curl -v -i d2nmvk8sd34zkj.cloudfront.net/wp-content/themes/blogatory2013/style.css
* About to connect() to d2nmvk8sd34zkj.cloudfront.net port 80 (#0)
*   Trying 54.230.49.84...
* connected
* Connected to d2nmvk8sd34zkj.cloudfront.net (54.230.49.84) port 80 (#0)
> GET /wp-content/themes/blogatory2013/style.css HTTP/1.1
> User-Agent: curl/7.26.0
> Host: d2nmvk8sd34zkj.cloudfront.net
> Accept: */*
> 
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: CloudFront
Server: CloudFront
< Date: Wed, 12 Nov 2014 23:36:33 GMT
Date: Wed, 12 Nov 2014 23:36:33 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 538
Content-Length: 538
< Connection: keep-alive
Connection: keep-alive
< X-Cache: Error from cloudfront
X-Cache: Error from cloudfront
< Via: 1.1 18d45aa6695a141c1f24bfdb6749025d.cloudfront.net (CloudFront)
Via: 1.1 18d45aa6695a141c1f24bfdb6749025d.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: EmskMTIcA44_RC_gXVjFbGMDn18MQ8e3Bl4fe3YbRAy9DKrH1CfJww==
X-Amz-Cf-Id: EmskMTIcA44_RC_gXVjFbGMDn18MQ8e3Bl4fe3YbRAy9DKrH1CfJww==

< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: EmskMTIcA44_RC_gXVjFbGMDn18MQ8e3Bl4fe3YbRAy9DKrH1CfJww==
</PRE>
<ADDRESS>
</ADDRESS>
* Connection #0 to host d2nmvk8sd34zkj.cloudfront.net left intact
</BODY></HTML>* Closing connection #0

I do not see any relevant entries in either my access.log file or my error.log file after trying to retrieve these documents, so it seems to me that cloudfront is not even trying to retrieve the document from my server.

I have another website with exactly the same setup, and this works with no problem.

$ curl -v -i https://cdn.lettersblogatory.com/wp-content/themes/blogatory2013/style.css
* About to connect() to cdn.lettersblogatory.com port 443 (#0)
*   Trying 54.230.51.124...
* connected
* Connected to cdn.lettersblogatory.com (54.230.51.124) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: OU=Domain Control Validated; OU=PositiveSSL; CN=cdn.lettersblogatory.com
*    start date: 2014-09-01 00:00:00 GMT
*    expire date: 2015-09-01 23:59:59 GMT
*    subjectAltName: cdn.lettersblogatory.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*    SSL certificate verify ok.
> GET /wp-content/themes/blogatory2013/style.css HTTP/1.1
> User-Agent: curl/7.26.0
> Host: cdn.lettersblogatory.com
> Accept: */*
> 
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/css
Content-Type: text/css
< Content-Length: 3986
Content-Length: 3986
< Connection: keep-alive
Connection: keep-alive
< Date: Wed, 12 Nov 2014 23:49:46 GMT
Date: Wed, 12 Nov 2014 23:49:46 GMT
< Server: Apache
Server: Apache
< Last-Modified: Tue, 07 Oct 2014 02:30:12 GMT
Last-Modified: Tue, 07 Oct 2014 02:30:12 GMT
< ETag: "2617e-f92-504cbfa940334"
ETag: "2617e-f92-504cbfa940334"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: max-age=604800
Cache-Control: max-age=604800
< Expires: Wed, 19 Nov 2014 23:49:46 GMT
Expires: Wed, 19 Nov 2014 23:49:46 GMT
< Strict-Transport-Security: max-age=15552000; includeSubDomains
Strict-Transport-Security: max-age=15552000; includeSubDomains
< Vary: Accept-Encoding
Vary: Accept-Encoding
< X-Cache: Miss from cloudfront
X-Cache: Miss from cloudfront
< Via: 1.1 c29727627b176634b1d591f0d7a258d7.cloudfront.net (CloudFront)
Via: 1.1 c29727627b176634b1d591f0d7a258d7.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: egp0Hu5XVUeedCJNJ2Xu0R8xbex5DjJFXxZoUXJVBg5aciSIWA6SfA==
X-Amz-Cf-Id: egp0Hu5XVUeedCJNJ2Xu0R8xbex5DjJFXxZoUXJVBg5aciSIWA6SfA==

[Contents of the file here] 

* Connection #0 to host cdn.lettersblogatory.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

As far as I can tell the cloudfront settings are identical for the two websites. The problem site has a brand-new certificate. The other certificate is older.

I am speculating that the problem may have to do with the newer certificate, which was issued using SHA2 due to the SHA1 deprecation, but I don't know why that would be or what to do about it. All suggestions appreciated.

Thanks!

Answer 1

Answered my own question. The trouble wasn't with the certificate I uploaded to Cloudfront; it was with the certificate on the origin server. The certificate worked fine for web browsing, but the order of the certificates in the intermediate certificate file was wonky. More specifically, when I had originally obtained the certificate from Comodo, I had mistakenly selected "Apache + OpenSSL" instead of "Apache + Mod SSL." I reissued the certificate and restarted my Apache server with the new certificate, and Cloudfront now is able to connect to the server.