AWS

CloudFrontInvalidOrigin - CloudFront Invalid Origin

Getting a **CloudFrontInvalidOrigin** error means your CloudFront origin configuration is invalid—the origin domain name, protocol, or port configuration doesn't meet CloudFront requirements, or the origin isn't accessible. This client-side error (4xx) happens when AWS validates CloudFront origin configurations. Most common when origin domain names are invalid, but also appears when origin protocols are wrong, port configurations are invalid, origin domains don't resolve, or SSL certificate issues occur.

#Common Causes

  • Identity: IAM policy allows CloudFront but invalid origin. Service Control Policy (SCP) enforces origin validation.
  • Network: VPC endpoint CloudFront origin restrictions. Origin domain does not resolve. SSL certificate issues.
  • Limits: Invalid origin domain name. Invalid origin protocol. Invalid port configuration. Origin domain does not resolve. SSL certificate issues.

Solutions

  1. 1Step 1: Diagnose - Validate origin domain name: Check domain format: echo DOMAIN | grep -E '^[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]?\.[a-zA-Z]{2,}$'. Test DNS resolution: nslookup DOMAIN.
  2. 2Step 2: Diagnose - Test origin connectivity: Test HTTPS: curl -I https://DOMAIN. Test HTTP: curl -I http://DOMAIN. Verify origin is accessible.
  3. 3Step 3: Diagnose - Check origin protocol and port: Verify protocol: https-only, http-only, or match-viewer. Check ports: HTTPPort (80) and HTTPSPort (443).
  4. 4Step 4: Fix - Validate SSL certificate: Check certificate validity. Verify certificate matches domain. Test SSL: openssl s_client -connect DOMAIN:443.
  5. 5Step 5: Fix - Use correct origin configuration: Verify origin domain name is valid. Use correct protocol and port. Ensure origin is accessible. Test origin connectivity before creating distribution.

</>Code Examples

Validate Origin Domain Name and DNS Resolution
1#!/bin/bash
2ORIGIN_DOMAIN="example.com"
3
4echo "=== Validating Origin Domain ==="
5echo "Domain: ${ORIGIN_DOMAIN}"
6
7# Check domain format
8if [[ ! ${ORIGIN_DOMAIN} =~ ^[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]?\.[a-zA-Z]{2,}$ ]]; then
9  echo "✗ Invalid domain format (CloudFrontInvalidOrigin)"
10  exit 1
11else
12  echo "✓ Domain format valid"
13fi
14
15# Check DNS resolution
16echo "\n=== Checking DNS Resolution ==="
17if nslookup ${ORIGIN_DOMAIN} &>/dev/null; then
18  echo "✓ Domain resolves"
19else
20  echo "✗ Domain does not resolve (CloudFrontInvalidOrigin)"
21  exit 1
22fi
Test Origin Connectivity and SSL
1#!/bin/bash
2ORIGIN_DOMAIN="example.com"
3
4echo "=== Testing Origin Connectivity ==="
5
6# Test HTTPS
7echo "Testing HTTPS..."
8if curl -I https://${ORIGIN_DOMAIN} &>/dev/null 2>&1; then
9  echo "✓ HTTPS accessible"
10  HTTPS_OK=true
11else
12  echo "✗ HTTPS not accessible"
13  HTTPS_OK=false
14fi
15
16# Test HTTP
17echo "\nTesting HTTP..."
18if curl -I http://${ORIGIN_DOMAIN} &>/dev/null 2>&1; then
19  echo "✓ HTTP accessible"
20  HTTP_OK=true
21else
22  echo "✗ HTTP not accessible"
23  HTTP_OK=false
24fi
25
26if [ "${HTTPS_OK}" = "false" ] && [ "${HTTP_OK}" = "false" ]; then
27  echo "\n✗ Origin not accessible (CloudFrontInvalidOrigin)"
28  exit 1
29fi
30
31# Test SSL certificate
32echo "\n=== Testing SSL Certificate ==="
33if command -v openssl &> /dev/null; then
34  echo | openssl s_client -connect ${ORIGIN_DOMAIN}:443 -servername ${ORIGIN_DOMAIN} 2>&1 | grep -q "Verify return code: 0"
35  if [ $? -eq 0 ]; then
36    echo "✓ SSL certificate valid"
37  else
38    echo "⚠ SSL certificate issues (CloudFrontInvalidOrigin)"
39  fi
40else
41  echo "openssl not installed - cannot test SSL"
42fi
Create Valid CloudFront Origin Configuration
1#!/bin/bash
2ORIGIN_DOMAIN="example.com"
3ORIGIN_CONFIG="origin-config.json"
4
5echo "=== Creating CloudFront Origin Configuration ==="
6
7# Validate domain first
8if ! nslookup ${ORIGIN_DOMAIN} &>/dev/null; then
9  echo "✗ Domain does not resolve (CloudFrontInvalidOrigin)"
10  exit 1
11fi
12
13# Create origin config
14cat > ${ORIGIN_CONFIG} <<EOF
15{
16  "Id": "origin1",
17  "DomainName": "${ORIGIN_DOMAIN}",
18  "CustomOriginConfig": {
19    "HTTPPort": 80,
20    "HTTPSPort": 443,
21    "OriginProtocolPolicy": "https-only",
22    "OriginSslProtocols": {
23      "Quantity": 1,
24      "Items": ["TLSv1.2"]
25    }
26  }
27}
28EOF
29
30echo "✓ Origin configuration created: ${ORIGIN_CONFIG}"
31echo "\n=== Configuration ==="
32cat ${ORIGIN_CONFIG}
33
34echo "\n=== Test Origin Response ==="
35curl -I https://${ORIGIN_DOMAIN} \
36  -H "Host: ${ORIGIN_DOMAIN}" \
37  -H "User-Agent: Amazon CloudFront" 2>&1 | head -5

Related Errors

InvalidParameterValueValidationException

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

CloudFrontInvalidOrigin - CloudFront Invalid Origin | AWS Error Reference | Error Code Reference