I am trying to create a Cloudfront distribution for a subdomain, e.g. dev.example.com. However, after adding the details for the objects origin and I enter the alternate domain names (CNAMES) section and add: dev.example.com I get the following error when I click on create distribution:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: fb305ccd-21e7-4bf8-a55c-df1304c06ac1; Proxy: null)
I am managing my domian dns through Route 53. I've created a certificate through ACM already, but the option to select a custom SSL certificate is greyed out. I've gone through the AWS Docs and couldn't find any solution so far.
This error indicates that the certificate that is attempting to be used is incorrect.
Your ACM certificate must be created in us-east-1 for a CloudFront distribution. The reason for this is that CloudFront is a global service, global services can only attach regional services that exist within us-east-1. They also will appear in CloudWatch and CloudTrail under the region of us-east-1.
It must also cover the domain you're using. In your case either dev.example.com or *.example.com must be included on your certificate.
You Have to Create the ACM certificate in us-east-1 . Did you ?
Related
My setup
EC2: app
Domain Registrar: namecheap
DNS: route 53
I use EC2 to host my app, AWS route 53 to direct the url, and cloudfront to fetch the static files for my app. Right now the cloudfront is using unfriendly domain *.cloudfront.net.
I am using certbot inside my EC2 to provide SSL connection.
When I tried to change cloudfront domain name, I use the Custom SSL Certificate generate by ACM (AWS certificate manager). And I encountered the error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 2d39c685-bf17-4d24-9c4b-82955daa878f; Proxy: null)
The ACM cert is generated in N.Virginia, which is fine since my EC2 is hosted there. I generated the cert using *.example.com and it is verified.
I am not sure how to fix that. Any advise?
This will be caused by an invalid domain name being used for the ACM certificate you have provisioned.
Because the ACM certificate generated is *.example.com only a 1 level deep subdomain can be used.
To explain this further:
www.example.com is a valid subdomain for the ACM certficate
foo.bar.example.com is not a valid subdomain for the ACM certficate
example.com is not valid for this ACM certficate as it is the root domain (and not referenced on the SSL).
Because it is generated in ACM, we can validate this certificate is compatiable as long as it meets the following conditions.
For the SSL to work for the root domain and subdomain it must contain both example.com and *.example.com to work correctly within CloudFront.
I'm trying to set my domain name to my website.
I went to set CNAMEs to my domain name example.com at AWS CloudFront, when I try to save the edit I'm given the following error by AWS.
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: e30a1b51-b467-4128-a88c-e758bb99f0dc)
Yes, I'm aware of Amazon CloudFront enhances the security. Which is why I have created Certificate Manager # N.Virgina for the domains I wanted (it's currently in Issued status)
However both the RadioButton and TextField are always in disabled mode, I never get to choose my Certificate. If I tap into Request or Import a certificate with ACM, it always bring me back to the same webpage for Request a certificate
What's my mistake here?
Unbelievable solution. I basically just need to re-login my AWS, both the option (RadioButton and TextField) is actually enabled.
In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)
Am I missing something? The other distribution for the top level domain is working fine with the same certificate.
Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain
That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.
Figured it out.
The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).
In my case, I created an SSL in us-east-1 (North Virginia) but I was still facing the issue and when I checked that SSL in the ACM, it was only for subdomains I forgot to add a root domain while requesting the SSL.
So whenever you want to use an ACM make sure that the SSL certificate is for the domain and subdomains (if required).
If you are using serverless, try adding certificateArn as component inputs in the serverless.yml file
your-app:
component: "#sls-next/serverless-component#latest"
inputs:
domain: ["app", "domain.com"] # [ sub-domain, domain ]
certificateArn: "arn:aws:acm:us-east-1:<id>"
Reference : https://github.com/serverless-nextjs/serverless-next.js/issues/821
We are using cloudfront to serve images with a custom domain.
http://images.example.com/fubar.png
We want to be able to access them with SSL, eg https://images.example.com/fubar.png
We have a wildcard SSL certificate (issued from Godaddy) for *.example.com and I used the AWS Certificate Manager to upload the certificate, private key, and keychain. The upload appears to have been successful as *.example.com appears to be issued (according to the Certificate Manager).
How do I "apply" this wildcard SSL to images.example.com? If I visit CloudFront Distributions and edit the General settings to select Custom SSL Certificate I can see my *.example.com wildcard SSL. But when I try to click the Yes, Edit button I get the following error message:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: ffffffff-ffff-ffff-ffff-ffffffffffff)
What steps do I need to take to allow me to apply this Wldcard SSL cert to my cloudfront images with custom DNS name?
Cannot say for sure, but typically with issues like this your certificate chain is incorrect. You’ll need to check the certificate authority’s instructions for creating the chain (e.g. what intermediate certificates does it need).
I got the same error, and finally found out it's the the maximum size of the public key in an SSL/TLS certificate issue.
AWS CloudFront only support 2048 bits, although Certificate Manager allows you to import 4096 bit keys.
Please refer to:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-size-of-public-key.html
Especially this one: step by step
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-format
I have seen many posts on this topic, but I have not been able to resolve the issue, so I am posting my setup in case anyone knows what needs to be changed?
I have a domain purchased through Namecheap. I have set custom DNS and added 4 name servers generated by the hosted zone in AWS Route 53. DNS lookup through whois.net shows the correct values.
In Route 53, I have added an A record to the Alias Target xxxxxxxxxxxxxx.cloudfront.net. So the traffic hits Route 53 and goes to CloudFront.
In CloudFront, I have one distribution. As Alternate Domain Names (CNAMEs), I have the following values:
*.domain.com
www.domain.com
domain.com
Under origins, I have one record with the following Origin Domain Name:
domain.com.s3-website.az-name-1.amazonaws.com
I am hosting website in an S3 bucket. All HTTP requests are set to redirect to HTTPS.
Lastly, I have created and verified a single certificate for the following domain names: domain.com, www.domain.com, *.domain.com
I have read some answers that I should just wait and the custom SSL certificate option will become enabled. It's been more than day now, however, and there is no sign of that happening.
My website works, but the misconfigured certificate (using the default *.cloudfront.net) throws a warning popup in Safari, and worse, a warning page in Chrome which most people are not going to bypass.
To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
CloudFront is not a regional service like most of the others. It's a global service with a single home region -- us-east-1. It can't see ACM certificates in any other region (you'd create certificates in other regions if you wanted to use them with Elastic Beanstalk or Elastic/Application Load Balancers).
From the description of what you observe, you didn't create the ACM certificate in us-east-1.
Create a new cert in us-east-1, and the option to use it should become available almost immediately in CloudFront.