I have a cloudfront distribution that I want to serve the following domains & I am trying to list as CNAMEs:
domain.com
www.domains.com
domain.ca
www.domain.ca
Now my certificate has *.domain.com and *.domain.ca and is approved.
But when I tried to add either "domain.com" or "domain.ca" to my cloudfront CNAMEs, I get this error.
Why do I get this?
ViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add.
Wildcard certificate *.domain.ca does not cover domain.ca. Same case for domain.com. You need to re-issue your certificate to include both the wildcards and the domain.com and domain.ca. From docs:
Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com). However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects example.com and *.example.com.
Related
We own two different domains and manage them in Route 53, to keep things simple I'll refer to them as example.com and secondary.com. Originally we had three CloudFront distributions with the following alternate domain names (CNAMEs), all have SSL certificates as well-
general.example.com
whatsnew.example.com
help.secondary.com
Since we're retiring example.com we've been trying to redirect general.example.com & whatsnew.example.com to help.secondary.com. For now the CloudFront distributions for #1 and #2 above have been disabled. Following the below guide I was able to redirect the root domain (example.com) to help.secondary.com.
AWS Doc on redirecting domains
Currently the Route 53 root record for the example.com domain points to an S3 bucket named after it per AWS' doc.
Record name
Type
Value
Error
example.com
A
s3-website-us-east-1.amazonaws.com.
none: redirects successfully
However when I try this for general & whatsnew (these have their own S3 buckets as well) the redirection fails with the only error code being ERR_CONNECTION_TIMED_OUT. Below are other changes I've tested in Route 53, through an incognito Chrome browser, and their results.I get the SSL errors are due to the difference in domains but I'm not understanding how the same config works for example.com and not its subdomains. May not matter but the secondary.com domain lives in a different AWS account, which we also own. Are these redirections possible?
Record name
Type
Value
Error
general.example.com
CNAME
example.com
ERR_CONNECTION_TIMED_OUT
general.example.com
CNAME
help.secondary.com
ERR_SSL_PROTOCOL_ERROR
general.example.com
CNAME
randomstring.cloudfront.net (CloudFront domain name for help.secondary.com)
ERR_SSL_PROTOCOL_ERROR
SSL Certificate is already enabled on my main domain but now I want to enable SSL on my subdomain too, So how can I enable on my subdomain, I am using AWS services.
If you're wanting to generate an SSL for your subdomain you will need to go through the ACM process again in the region(s) you're operating in.
When you specify the domain for the certificate you can either specify an absolute subdomain (foo.example.com) or specify a wildcard domain (*.example.com).
Once you have specified this you will need to go through the standard validation approach to have the certificate approved.
As an additional point going forward, AWS supports adding multiple domains to a single certificate so you could add the root domain (example.com) and the wildcard subdomain (*.example.com) to the same certificate which would allow you to use the same certificate.
No, it is not possible to edit an existing certificate to add more domains or a sub-domain of an already existing domain on an ACM certificate.
In case you wish to obtain a certificate for a new domain or sub-domain you can either have two separate certificates for the domain and sub-domain or delete the older certificate and request a new certificate with both the domain and sub-domain on the certificate.
A single certificate can hold domain.com & *.domain.com. Also the same certificate can also have domain1.com & *.domain1.com
Source https://forums.aws.amazon.com/thread.jspa?messageID=931119
When I try to add an apex domain to cloudfront Alternate Domain Names list, it throws the following error:
Cloudfront error
I know my configuration works, because I am able to use the same domain with www as subdomain without any problem: Cloudfront config
And I'm sure route53 is not the problem, because I can create the Alias Record with no problem pointing to my CloudFront Distribution, but if Cloudfront doesn't let me add the Apex Domain on its list, it will reject and request.
Note: an apex domain is an URL without the subdomain part, i.e. domain.io
The error you get is probably because your certificate in ACM has been registered for www.domain.io or *.domain.io. Such certificate does not cover the apex domain domain.io. From the AWS documentation:
When you request a wildcard certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com). However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects example.com and *.example.com
Typical soltuion is to create a new cerficate for both domains, *.domain.io and domain.io, or both www.domain.io and domain.io.
I am trying to use cloudfront for static website s3 with my custom domain.
Following are the steps I followed:
1) Setup a s3 bucket (say, example.com) and enabled static website hosting on it.
2) Also setup a s3 bucket (www.example.com) which redirects to example.com.
3) In route 53, added a hosted zone (example.com) and added the record sets.
4) After this, http://example.com works for me.
Now I am trying to add cloudfront to it. I added the following steps:
5) From Amazon Certificate Manager, added a certificate for www.example.com and got it verified (added to Route 53 DNS, it was verified automatically after some time).
6) Created a cloudfront distribution with following settings:
Domain Origin: www.example.com
Origin Protocol Policy: HTTP Only
Alternate Domain Name: www.example.com
SSL Certificate: Selected from ACM
When I try to launch: https://example.com or https://www.example.com, the site doesn't load. http://example.com does load, but I am not sure if cloudfront is actually working on this or not. Also why is https not loading?
To setup the S3 bucket behind the CF distribution WITH SSL you need to:
Setup S3 bucket example.com (Block all public access = off, policy https://d.pr/i/KU1Q4z)
Create certificate in ACM issued at example.com and *.example.com(or specific subdomain at will), validate it
Create CF distribution
Set created CF alternate domain names to: example.com *.example.com (other subdomain here)
Use custom SSL certificate (previously created and validated)
Create/change default origin, to: example.com.s3-website-AWS_REGION.amazonaws.com with origin protocol policy HTTP Only
CF Default origin behaviour should be more-less like this: https://d.pr/i/h6PrG6
In Route 53 set CF A ALIAS for example.com and CNAME for *.example.com (or other subdomain) pointing at CF_DISTRIBUTION_ID.cloudfront.net
you need to go into rt 53 and point the domain at your cloudfront distribution. It won't appear as an option unless you've set the domain as an alternate domain in the distribution settings. Also, that cert won't work for anything except www.example.com, meaning example.com is excluded. you need a cert that includes example.com and www.example.com (or *.example.com to cover all subdomains)
AWS Certificate manager isn't allowing me to add a 2 level wildcard domain name, which would match x.a.example.com, y.b.example.com etc.
Is there a workaround for this? (instead of creating *.a.example.com, *.b.example.com etc)
Source: http://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
Wildcard Names ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can
protect several sites in the same domain. For example, *.example.com
protects www.example.com and images.example.com.
Note: When you request a wildcard certificate, the asterisk (*) must
be in the leftmost position of the domain name and can protect only
one subdomain level. For example, *.example.com can protect
login.example.com and test.example.com, but it cannot protect
test.login.example.com. Also note that *.example.com protects only the
subdomains of example.com, it does not protect the bare or apex domain
(example.com). However, you can request a certificate that protects a
bare or apex domain and its subdomains by specifying multiple domain
names in your request. For example, you can request a certificate that
protects example.com and *.example.com.
Unfortunately this is not possible/supported.
You can have Subject Alternative Names or SANs in the certificate for named domains: https://geekflare.com/san-ssl-certificate/
Certificate Signing Request or CSR generation would be something like this:
openssl req -new -key my.key -out my.csr -subj "/CN=*.domain.com" -addext "subjectAltName=DNS:one.complex.domain.com,DNS:completely.another.domain.com"
More details here: https://stackoverflow.com/a/16127802/339052
For those who are having issues for multiple sub domain in their certificate.
Source: https://aws.amazon.com/premiumsupport/knowledge-center/associate-ssl-certificates-cloudfront/
You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards. To enable SSL or HTTPS for multiple domains served through one CloudFront distribution, assign a certificate from ACM that includes all the required domains.
To use your own SSL certificate for multiple domain names with CloudFront, import your certificate into ACM or the AWS Identity and Access Management (IAM) certificate store. For instructions, see Importing an SSL/TLS Certificate.