Introduction Custom domain SSL handshake failures on CDN prevent users from accessing the CDN-protected content over HTTPS. This is often due to certificate configuration or domain verification issues.

Symptoms - SSL handshake error for custom CDN domain - Error: "SSL_ERROR_UNSUPPORTED_PROTOCOL" - Custom domain works with HTTP but not HTTPS - Certificate shows wrong domain name - Browser shows certificate warning for custom domain

Common Causes - Custom certificate not uploaded to CDN - Certificate domain does not match custom domain - Domain verification not completed - TLS version mismatch between client and CDN - SNI not supported by older clients

Step-by-Step Fix 1. **Verify certificate matches custom domain': ```bash echo | openssl s_client -connect custom.cdn.example.com:443 -servername custom.cdn.example.com 2>/dev/null \ | openssl x509 -noout -subject -ext subjectAltName ```

  1. 1.**Upload and associate certificate':
  2. 2.```bash
  3. 3.# CloudFront
  4. 4.aws acm request-certificate --domain-name custom.cdn.example.com --validation-method DNS
  5. 5.# After DNS validation, associate with distribution
  6. 6.`
  7. 7.**Verify domain CNAME is correctly configured':
  8. 8.```bash
  9. 9.dig CNAME custom.cdn.example.com
  10. 10.# Should point to CDN distribution domain
  11. 11.`

Prevention - Use CDN-managed SSL certificates (auto-renewal) - Verify domain ownership before certificate upload - Test custom domain SSL after every certificate change - Monitor custom domain SSL certificate expiration - Support both SNI and dedicated IP for legacy clients