Sentinel s2 l1c - 502 error by cloudfront - Unable to access meta-files and preview image from http

Until last week/month we were able to access public url like:

which used to display list of files and folders. I can still access the metadata.xml directly using url like:

To check what dates the data is available and to check product information, we used to hit:
that used to give list of dates (in json format).

But now we are getting 502 error as shown below:

As of today (or yesterday?), I can’t access the some products anymore. E.g. for, I get a 502 Error:


The request could not be satisfied.

The Lambda function returned an invalid entry in the headers object: The header must have a value field.
If you received this error while trying to use an app or access a website, please contact the provider or website owner for assistance.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by following steps in the CloudFront documentation (

Generated by cloudfront (CloudFront) Request ID: 4H2Yz-s1R4J7YHYMWd4x8Wyiah2N6X6Xi0C-4E3InA7MvLG_N9_S6Q==")

Whats weird is that the metadata files (e.g. seem to work, but not the images (e.g., which is a problem for us.

This issue was fixed, I believe. There might still be some errors on URLs, that were called in the last day or two, due to CloudWatch cache. But for new requests it should hopefully work.

Seems to work again, thanks!

Yes, seems to be working now. It might be due to CloudWatch Cache. Thanks :slight_smile:


We usually download, from metadata, MSK_CLOUDS_B00.GFS and MSK_CLOUDS_B00.GML.

I’m browsing several random RODA folders and can’t see the .GFS file for any acquisition. Is this due to this issue? When will access to those files be re-established?

Kind regards,

These files are only available over S3, for about 6 months now.

CloudFront cannot connect to origins with invalid certificates. You have a few options:

  • You can configure your distribution to connect to your backed on http only.
  • Put an ELB/ALB in front of your instance and terminate the TLS on the Balancer. You can use Amazon Certificate manager to create a certificate for free.
  • Purchase a certificate from a 3rd party and use it on your instance.

I met this issue some time before. The request blocked by CloudFront.

Please check this list:

CDN domain added in Cloudfront Alternate Domain Names. Once you add CDN domain to Cloudfront, you can select CloudFront endpoint without typing

WAF (if any) does not block your request

Check Http and Https