I have set up an EC2 with WordPress installed on it. It listens on port 80.
I have created an Application-load-balancer on top of it, and used ACM and created a certificate (signed by Amazon), and created an HTTPS listener that forwards it from 443 to 80 on the (1) ec2. The listener uses ELBSecurityPolicy-TLS-1-2-Ext-2018-06 as the security policy.
I configured a route53 A rule from the domain to the ELB. This works perfectly.
After that I tried to create a Cloudfront distribution - supporting HTTPS only with the correct CN name and a custom certificate (the same cert used in (2)).
I get the infamous 502.
I read a ton of posts about trying to resolve it... and followed this working example to the teeth - https://www.youtube.com/watch?v=9O2bqYqySEY. Nothing works for me. I still get the 502 error
I used openssl (openssl s_client -connect mydomain:443) to try and make sense of it - I get
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5479 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
closed
What strikes me as weird is that it used TLSv1.3 (which I know AWS only added a few months ago).
BTW, when I tried to run the same openssl on the working situation (stage 3) - I saw that it was using TLSv1.2 when it was working.
I also tried to find an option to forcefully get Cloudfront to use TLSv1.2, but I couldn't.
I know many people asked about this topic - yet, I think this is a new issue since v1.3 was added recently and non of the other answers helped.
Any advice? Thank you
Ok - turns out problem was around the ELB's security policy. i didn't have it configured to be ELBSecurityPolicy-TLS-1-2-Ext-2018-06 (but rather the default) at the beginning. Then I switched it to be ELBSecurityPolicy-TLS-1-2-Ext-2018-06...
But didn't see any change. After a few hours where I had given up, I checked it again and this worked - so I am guessing it needed some time / caching.
All works fine now.