My setup
EC2: app
Domain Registrar: namecheap
DNS: route 53
I use EC2 to host my app, AWS route 53 to direct the url, and cloudfront to fetch the static files for my app. Right now the cloudfront is using unfriendly domain *.cloudfront.net.
I am using certbot inside my EC2 to provide SSL connection.
When I tried to change cloudfront domain name, I use the Custom SSL Certificate generate by ACM (AWS certificate manager). And I encountered the error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 2d39c685-bf17-4d24-9c4b-82955daa878f; Proxy: null)
The ACM cert is generated in N.Virginia, which is fine since my EC2 is hosted there. I generated the cert using *.example.com and it is verified.
I am not sure how to fix that. Any advise?
This will be caused by an invalid domain name being used for the ACM certificate you have provisioned.
Because the ACM certificate generated is *.example.com only a 1 level deep subdomain can be used.
To explain this further:
www.example.com is a valid subdomain for the ACM certficate
foo.bar.example.com is not a valid subdomain for the ACM certficate
example.com is not valid for this ACM certficate as it is the root domain (and not referenced on the SSL).
Because it is generated in ACM, we can validate this certificate is compatiable as long as it meets the following conditions.
For the SSL to work for the root domain and subdomain it must contain both example.com and *.example.com to work correctly within CloudFront.
Related
I have a EC2 Instance in which I've installed an SSL certificate via LetsEncrypt
The Instance hosts a FastApi and Gunicorn which serves as server for a mobile app
There's an elastic IP attached to the EC2 instance
All inbounds and outbounds EC2 ports are opened
I have imported in the Certificate Manager (east-2 Virginia) the SSL certificate generated by LetsEncrypt
I have created an hosted zone in Route53 adding a domain (www.example.com) and creating the CAA (0 issue "letsencrypt.org") + changed the nameservers in godaddy as per the ones in the Route53 NS
I have created a CloudFront distribution having as origin the Public IPv4 DNS of the EC2 instance, redirecting HTTP to HTTPS, setting the Custom SSL certificate equal to the one uploaded in the Certificate Manager (LetsEncrypt) and in the Alternate domain name (CNAME) added the www.example.com
I have added in Route53, in the A record, the CloudFront Distribution domain name
Given these premises, in the EC2 instance there is not a landing html page (like hello world!) to be reached if the CloudFront Distribution domain name or the domain name is pinged.
However, If I ping it, I get the 502 error (502 ERROR The request could not be satisfied.
CloudFront wasn't able to connect to the origin. We can't connect to the server for this app or website at this time).
The domain was validated in the SSLlab without throwing errors except a "Chain issues Incorrect order, Extra certs" in the "Additional Certificates section" (not in the "Server Key and Certificate #1") and the X-Cache says: Error from CloudFront.
How can I fix the 502 error?
EDIT
I've posted the solution in the comment
The solution was to keep everything as above stated but:
remove the ssl certificate from the instance
generate a new ssl certificate in Certificate Manager from Amazon (this also implies creating records in Route 53 of the CNAME of the new certificate and selecting the new certificate in the Cloudfront distribution).
At the end the issue was a conflict between the two ssl certificates. Only one had to be kept.
I am trying to create a Cloudfront distribution for a subdomain, e.g. dev.example.com. However, after adding the details for the objects origin and I enter the alternate domain names (CNAMES) section and add: dev.example.com I get the following error when I click on create distribution:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: fb305ccd-21e7-4bf8-a55c-df1304c06ac1; Proxy: null)
I am managing my domian dns through Route 53. I've created a certificate through ACM already, but the option to select a custom SSL certificate is greyed out. I've gone through the AWS Docs and couldn't find any solution so far.
This error indicates that the certificate that is attempting to be used is incorrect.
Your ACM certificate must be created in us-east-1 for a CloudFront distribution. The reason for this is that CloudFront is a global service, global services can only attach regional services that exist within us-east-1. They also will appear in CloudWatch and CloudTrail under the region of us-east-1.
It must also cover the domain you're using. In your case either dev.example.com or *.example.com must be included on your certificate.
You Have to Create the ACM certificate in us-east-1 . Did you ?
I am trying to use cloudfront for static website s3 with my custom domain.
Following are the steps I followed:
1) Setup a s3 bucket (say, example.com) and enabled static website hosting on it.
2) Also setup a s3 bucket (www.example.com) which redirects to example.com.
3) In route 53, added a hosted zone (example.com) and added the record sets.
4) After this, http://example.com works for me.
Now I am trying to add cloudfront to it. I added the following steps:
5) From Amazon Certificate Manager, added a certificate for www.example.com and got it verified (added to Route 53 DNS, it was verified automatically after some time).
6) Created a cloudfront distribution with following settings:
Domain Origin: www.example.com
Origin Protocol Policy: HTTP Only
Alternate Domain Name: www.example.com
SSL Certificate: Selected from ACM
When I try to launch: https://example.com or https://www.example.com, the site doesn't load. http://example.com does load, but I am not sure if cloudfront is actually working on this or not. Also why is https not loading?
To setup the S3 bucket behind the CF distribution WITH SSL you need to:
Setup S3 bucket example.com (Block all public access = off, policy https://d.pr/i/KU1Q4z)
Create certificate in ACM issued at example.com and *.example.com(or specific subdomain at will), validate it
Create CF distribution
Set created CF alternate domain names to: example.com *.example.com (other subdomain here)
Use custom SSL certificate (previously created and validated)
Create/change default origin, to: example.com.s3-website-AWS_REGION.amazonaws.com with origin protocol policy HTTP Only
CF Default origin behaviour should be more-less like this: https://d.pr/i/h6PrG6
In Route 53 set CF A ALIAS for example.com and CNAME for *.example.com (or other subdomain) pointing at CF_DISTRIBUTION_ID.cloudfront.net
you need to go into rt 53 and point the domain at your cloudfront distribution. It won't appear as an option unless you've set the domain as an alternate domain in the distribution settings. Also, that cert won't work for anything except www.example.com, meaning example.com is excluded. you need a cert that includes example.com and www.example.com (or *.example.com to cover all subdomains)
In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)
Am I missing something? The other distribution for the top level domain is working fine with the same certificate.
Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain
That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.
Figured it out.
The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).
In my case, I created an SSL in us-east-1 (North Virginia) but I was still facing the issue and when I checked that SSL in the ACM, it was only for subdomains I forgot to add a root domain while requesting the SSL.
So whenever you want to use an ACM make sure that the SSL certificate is for the domain and subdomains (if required).
If you are using serverless, try adding certificateArn as component inputs in the serverless.yml file
your-app:
component: "#sls-next/serverless-component#latest"
inputs:
domain: ["app", "domain.com"] # [ sub-domain, domain ]
certificateArn: "arn:aws:acm:us-east-1:<id>"
Reference : https://github.com/serverless-nextjs/serverless-next.js/issues/821
We got a certificate from ACM for our domain say example.com. On the application load balancer I deployed this and created a HTTPS listener with forwarding to my target group. The target group is an EC2 instances in a ASG.
Now the issue is when I access my LB URL with HTTPS I get the SSL_ERROR_BAD_CERT_DOMAIN error with the description
XXXXXX.us-west-2.elb.amazonaws.com uses an invalid security certificate. The certificate is only valid for example.com
I now this is probably the expected behavior, but in this case, how do I apply a ACM certificate of my domain on the application load balancer?
Thanks,
You have created a certificate for a specific domain, say 'example.com'. But you are not using this domain when accessing the ALB. Since there is a mismatch between the domain/hostname you are using ('XXXXXX.us-west-2.elb.amazonaws.com') and the certificates domain ('example.com'), your HTTP client shows you an error.
Create a DNS entry
example.com CNAME XXXXXX.us-west-2.elb.amazonaws.com
and access the domain using example.comas a hostname.