This domain is not secure. The .sunrise and www.sunrise load the website, but neither of them have a secure connection.
I have attached a certificate to the domain, and it's entries are in the 2nd and 3rd rows from the top of this picture, and end with "validation.aws".
I think, maybe some of these rows will seem obviously useless, and I can delete them. I can also delete the two certificate rows and reapply them from the certificate page. Does anything stick out as the problem?
This is likely down to one of the following:
The certificate does not cover the domain(s) that you're trying to use
The certificate has expired
Debug Steps
When you access in the browser it should normally detail why the certificate is insecure.
Alternatively run the below command on your domain to get the full error.
curl -iv https://example.com
By running this command you'll get an error along the terms of the below.
curl: (60) SSL: no alternative certificate subject name matches target host name 'example.com'
Domain name not valid for certificate
You will need to ensure that the domain names that you included in the certificate match the domain you're trying to access in the browser.
From the console you can see the list of domains that are included on the certificate (including wildcard domains e.g. *.example.com. If the domain(s) you're trying to use would not match the rulesets you would need to generate a new SSL and then attach it to whichever resources are using it.
Certificate has expired
This will only occur if you're not using the ACM managed service which auto renews (you're using ACM so this is not the cause), in addition this is a new SSL so it would not have expired (the lifetime is 13 months).
Related
I have created a domain certificate on AWS. For example *.dev.example.com
Now I am trying to create an ingress controller with host a.foo.dev.example.com and b.bar.dev.example.com. But I am getting certificate invalid issue(NET::ERR_CERT_COMMON_NAME_INVALID). when I am hitting any of the 2 links, app is opening but not secure. how can I fix this issue??
P.S I can create and application works with foo.dev.example.com and bar.dev.example.com
You can't use a wildcard certificate to match more than one level deep. This is a universal restriction on wildcard certificates, not a limitation in Amazon Certificate Manager.
You would need certificate supporting both *.foo.dev.example.com and *.bar.dev.example.com or one certificate for each, if you want to use this naming convention.
You also can't obtain a certificate for *.*.dev.example.com, which looks like it might work, but it won't.
I recently inherited a website and ran into an issue with an expired SSL certificate. After verifying the certificate with OpenSSL, I discovered that there are two certificates for the one domain:
A manually created Let's Encrypt cert (expired)
A cert served by AWS's Certificate Manager (working)
The OpenSSL check points to the working cert when www. is at the beginning of the URL, but if the www. is removed the check points to the expired cert. The weird issue is that the AWS cert is a wildcard cert for the domain, and does not contain a www. in it.
How can I resolve this issue to just have users directed to the correct SSL cert? I attempted to locate the actual cert file in the server in an attempt to remove it, but I couldn't find it in any of the usual places.
I am looking for some advice as how to most cost efficiently setup SSL for a subdomain e.g https://images.example.com.
Images are hosted in AWS S3 and I have a cloudfront distribution pointing to that bucket.
I have purchased a single domain SSL cert from Comodo and successfully added it to my cloudfront distribution. That part was easy as pie.
However, when loading images on the subdomain I get a "Not secure / certificate invalid" in the browser bar.
Is this because I require a wildcard SSL cert?
I have not tested that the SSL cert works on the main domain. Reason being there is currently a production site that I don't want to interfere with.
Before I rush out and purchase a much more expensive wildcard SSL cert, I want to make sure it is required.
I have a single subdomain for image hosting. I don't expect to ever ad more subdomains. What if I just purchase two single domain certs?
What are my options?
Try using ACM (https://aws.amazon.com/certificate-manager/ ) to issue an AWS issued wildcard certificate for your domain and use that instead?
As to why your existing cert won't work - does it have the domain in the cert (eg images.domain.com) as either the primary domain or as a SAN? If not, it won't work.
If you don't want to use a wildcard, you can use an ACM cert (or a cert you purchase from somewhere else) and issue it for the domain subdomain only? You don't have to use a wildcard but from a cost point of view if you are purchasing them, its often more cost-effective (although there are of course security concerns to consider). If you are using ACM, the certs are free - either domain specific or wildcard.
We are using cloudfront to serve images with a custom domain.
http://images.example.com/fubar.png
We want to be able to access them with SSL, eg https://images.example.com/fubar.png
We have a wildcard SSL certificate (issued from Godaddy) for *.example.com and I used the AWS Certificate Manager to upload the certificate, private key, and keychain. The upload appears to have been successful as *.example.com appears to be issued (according to the Certificate Manager).
How do I "apply" this wildcard SSL to images.example.com? If I visit CloudFront Distributions and edit the General settings to select Custom SSL Certificate I can see my *.example.com wildcard SSL. But when I try to click the Yes, Edit button I get the following error message:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: ffffffff-ffff-ffff-ffff-ffffffffffff)
What steps do I need to take to allow me to apply this Wldcard SSL cert to my cloudfront images with custom DNS name?
Cannot say for sure, but typically with issues like this your certificate chain is incorrect. You’ll need to check the certificate authority’s instructions for creating the chain (e.g. what intermediate certificates does it need).
I got the same error, and finally found out it's the the maximum size of the public key in an SSL/TLS certificate issue.
AWS CloudFront only support 2048 bits, although Certificate Manager allows you to import 4096 bit keys.
Please refer to:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-size-of-public-key.html
Especially this one: step by step
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-format
I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB.
I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:
"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"
Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?
EDIT May 31, 2016
Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:
http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
The command I used was:
aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com
Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!
A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.
When requesting a new certificate via the console, you can now add both *.domain.com and www.domain.com, before hitting next, in the next box, make sure you request to add another domain to the certificate.