I just started using the AWS certificate manager and I was curious to see if there was a difference between creating multiple certificates, for example:
One for: mydomain.com
Another for *.mydomain.com
Or if it would be better to make one domain that contains both:
mydomain.com
AND
*.mydomain.com
Thanks!
If you want to use a single ALB or CloudFront distribution you will need to have these as a single certificate.
Ideally I would use the single certificate for all domains as it easier to manage.
Related
I'm following the serverless-stack guide and have a website hosted in an Amazon S3 bucket. I purchased a domain using GoDaddy and I have set up cloudfront to work with this bucket, then have used AWS certificate manager to generate SSL certificates for my domain (both www.my_domain.com and my_domain.com).
In GoDaddy I then configured DNS forwarding to point to my cloudfront resource.
This all works nicely, and if I go to my_domain.com in a browser then I see my website.
However, I can't get SSL working. If I go to the https:// version of my website then I see a not secure error in the chrome address bar which shows a certificate pointing to shortener.secureserver.net rather than my own website.
Could someone point me at a way around this? Looking through S.E. and using google it seems that Amazon's route53 might be able to help, but I can't figure out how to do this.
Thanks!
(edit) To make things more clear, this is what I see in Chrome if I connect to https://my_website.com or to https://www.my_website.com
The warning message:
The certificate details:
What I do not understand is why, after configuring an AWS certificate for my domain, I see a certificate for shortner.secureserver.com rather than a certificate for my_website.com.
Go daddy has problems and does not redirect to https, There are two ways, the first is to change domain registrar and the second is the easiest, which is: Create a hosted zone on AWS router 53 with your domain name
Create 2 type A records, one for the root (of your domain) and one for www that point to your cloudfront. Router 53 allows you to create a type A record without having an IP, because it directly points to a cloudfront instance that you indicate, that's the best
Then in go daddy it gives you the option to change name servers and puts the ones assigned by aws in hosted zone with the record that says NS and you put those 4 in Godaddy, replacing the ones that had
Note: SAVE THE NAME SERVERS THAT YOU HAVE IN GO DADDY BEFORE REPLACING THEM, IN CASE YOU HAVE ANY PROBLEM, YOU CAN REPLACE THEM AGAIN
You have to wait at least a few hours until all the name servers are updated, you can use the who.is page to see if the DNS have already been updated with those of aws.
It turns out that this is not possible with GoDaddy. If anyone else reading this has a similar problem, only current solution is to cancel your domain registration and register with someone else.
(edit) As #aavrug mentions in their comment, Amazon now have a guide for this.
When you defined your CloudFront you can defined whether you want to use, and you can choose HTTPS only. In this case HTTP requests will be automatically redirected to HTTPS. Have in mind CloudFront changes may take a while to be replicated and your browser cache it as well, so the best way is to make a change, wait for the deployment and then check it in a new cognito browser.
It goes without saying that your certificate must be valid and verified as well.
It might be something wrong with your certificate or with your domain.
If you serving your content over HTTPS you must provide a SSL Certificate in Cloudfront. Have you done that?
Have you added your domain on Alternative Domain Names (CNAMEs)?
Please have a look on the image below:
-> AWS provides Free SSL Certificates to be used with Cloudfront, so you might want to use it (easier than you import your SSL from go daddy).
You can create a free SSL certificate on AWS and easily attach it to your cloudfront distribution.
-> You can also transfer your domains to AWS Route53. It is easy to integrate with any AWS Service and easy to use/maintain :)
I wrote a complete guide on my blog telling how you can add Custom SSL and attach custom domain to Cloudfront distribution, it might be useful :)
https://lucasfsantos.com/posts/deploy-react-angular-cloudfront/
I know that you can add your own certificate to the domain and point that domain to the AWS Elastic Load Balancer. In my case I don't have domain, but would like still use secure HTTPS/SSL connection when talking client <-> backend. Is it possible to enable HTTPS connection directly to ELB, i.e instead of using http://some-random-url-here.eu-west-1.elb.amazonaws.com I would like to use https://some-random-url-here.eu-west-1.elb.amazonaws.com
That would mean, that AWS would need to provide the cert for the *.elb.amazonaws.com domain. I remember at least long time ago this was possible, but maybe my memory does not serve me right?
Memory does not serve you right. This is not possible now and would not have been possible in the past. ELBs don't have, and it is not possible to obtain, a certificate like this (including from Amazon Certificate Manager).
In fact, 3rd party providers like Let's Encrypt also have protections to prevent you from obtaining certificates like this, since amazonaws.com is not your domain.
You will need a domain that you control.
I am looking for some advice as how to most cost efficiently setup SSL for a subdomain e.g https://images.example.com.
Images are hosted in AWS S3 and I have a cloudfront distribution pointing to that bucket.
I have purchased a single domain SSL cert from Comodo and successfully added it to my cloudfront distribution. That part was easy as pie.
However, when loading images on the subdomain I get a "Not secure / certificate invalid" in the browser bar.
Is this because I require a wildcard SSL cert?
I have not tested that the SSL cert works on the main domain. Reason being there is currently a production site that I don't want to interfere with.
Before I rush out and purchase a much more expensive wildcard SSL cert, I want to make sure it is required.
I have a single subdomain for image hosting. I don't expect to ever ad more subdomains. What if I just purchase two single domain certs?
What are my options?
Try using ACM (https://aws.amazon.com/certificate-manager/ ) to issue an AWS issued wildcard certificate for your domain and use that instead?
As to why your existing cert won't work - does it have the domain in the cert (eg images.domain.com) as either the primary domain or as a SAN? If not, it won't work.
If you don't want to use a wildcard, you can use an ACM cert (or a cert you purchase from somewhere else) and issue it for the domain subdomain only? You don't have to use a wildcard but from a cost point of view if you are purchasing them, its often more cost-effective (although there are of course security concerns to consider). If you are using ACM, the certs are free - either domain specific or wildcard.
I have an SSL certificate associated with a load balancer on Amazon Web Services. I would like to have an additional domain on that certificate. My questions are:
Is it possible to add an additional domain to an EXISTING ssl certificate on aws? I see that you can add additional names when you create one, but I don't see how to do it with an existing certificate.
If no to 1, is it possible to associate 2 certs with the load balancer? Or do I need to create a new one that includes both domains and replace the cert with the new one?
Thank you for your advice.
It is not possible to do either of these things.
Certificates can never be modified -- that would invalidate them.
Balancers cannot attach more than one certificate to a given listener, and can't have more than one listener on a port.
Your solution is to create a new certificate with all of the needed domain names, and swap them out.
Actually (as of Feb 12, 2019) you can request another certificate and then Add to your load balancer. I just did this myself. I had one certificate with 5 domains and I didn't want to have to create another just for one more. So I created the new certificate for the one domain and then added ( look for a plus sign ). Easy and it takes effect right away. Good luck.
AWS ELB/ALB support up to 25 certificates now. You can request new ACM certificates or upload your own certificates and use them with your load balancers
As a work-around, you can create a new certificate in AWS Cert Manager with all the same domains from an existing cert plus one any new one needed. With DNS validation for both existing and new certs, all the existing domains successfully validate automatically on the new cert (unique DNS IDs kept for easy renewal). You just need to add the DNS validation records for any new domains, let it validate and then swap the cert (just tested with cert + Cloudfront, haven't with an ELB).
I am trying to point both https://app.test1.com and https://app.test2.com to a aws cloudfront distribution.
Does anyone how how to do it? I am unable to figure out how to add both domains and also both the SSL certs to a single cloud front distribution
You can only attach 1 one certificate to each CloudFront distribution. If multiple domains is what you want, you need a single certificate with all the desired hostnames listed as Subject Alternative Names. Many SSL CAs will sell you a cert like this, sometimes called multi-domain, SAN, or UC certificates. You can also get one from Amazon Certificate Manager.
You add additional hostnames to your distribution the same way you added the first one: configure alternate domain names. Simply using DNS CNAME records isn't enough, becaue CloudFront has to expect the hostname on the incoming request.