I'm trying to set my domain name to my website.
I went to set CNAMEs to my domain name example.com at AWS CloudFront, when I try to save the edit I'm given the following error by AWS.
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: e30a1b51-b467-4128-a88c-e758bb99f0dc)
Yes, I'm aware of Amazon CloudFront enhances the security. Which is why I have created Certificate Manager # N.Virgina for the domains I wanted (it's currently in Issued status)
However both the RadioButton and TextField are always in disabled mode, I never get to choose my Certificate. If I tap into Request or Import a certificate with ACM, it always bring me back to the same webpage for Request a certificate
What's my mistake here?
Unbelievable solution. I basically just need to re-login my AWS, both the option (RadioButton and TextField) is actually enabled.
Related
I am trying to create a Cloudfront distribution for a subdomain, e.g. dev.example.com. However, after adding the details for the objects origin and I enter the alternate domain names (CNAMES) section and add: dev.example.com I get the following error when I click on create distribution:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: fb305ccd-21e7-4bf8-a55c-df1304c06ac1; Proxy: null)
I am managing my domian dns through Route 53. I've created a certificate through ACM already, but the option to select a custom SSL certificate is greyed out. I've gone through the AWS Docs and couldn't find any solution so far.
This error indicates that the certificate that is attempting to be used is incorrect.
Your ACM certificate must be created in us-east-1 for a CloudFront distribution. The reason for this is that CloudFront is a global service, global services can only attach regional services that exist within us-east-1. They also will appear in CloudWatch and CloudTrail under the region of us-east-1.
It must also cover the domain you're using. In your case either dev.example.com or *.example.com must be included on your certificate.
You Have to Create the ACM certificate in us-east-1 . Did you ?
I am trying to connect CloudFlare to API Gateway
Steps followed are:
Generated certificate in Cloudflare
Imported certificate in certificate manager in AWS
Made Full Strict in Cloudflare
in API gateway, for custom domain, I gave the domain name. Selected edge optimized and selected my certificate I imported. I am getting following error
The certificate that is attached to your distribution was not issued by a trusted Certificate Authority.
For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate;
The mistake I was doing was, I was importing the certificate to the Certificate Manager. I used the .pem encoded string and imported.
What worked for me was instead of importing, I went through the " Request for certificate" process. This can be approved via DNS modification or through email approval(faster way).
The change I observed was, "Request for certificate" is AWS issued and the former is not.
Using this I generated Edge optimized custom domain which gave me a cloud front URL.
I used this to link with CNAME in my Cloudflare DNS
In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)
Am I missing something? The other distribution for the top level domain is working fine with the same certificate.
Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain
That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.
Figured it out.
The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).
In my case, I created an SSL in us-east-1 (North Virginia) but I was still facing the issue and when I checked that SSL in the ACM, it was only for subdomains I forgot to add a root domain while requesting the SSL.
So whenever you want to use an ACM make sure that the SSL certificate is for the domain and subdomains (if required).
If you are using serverless, try adding certificateArn as component inputs in the serverless.yml file
your-app:
component: "#sls-next/serverless-component#latest"
inputs:
domain: ["app", "domain.com"] # [ sub-domain, domain ]
certificateArn: "arn:aws:acm:us-east-1:<id>"
Reference : https://github.com/serverless-nextjs/serverless-next.js/issues/821
We are using cloudfront to serve images with a custom domain.
http://images.example.com/fubar.png
We want to be able to access them with SSL, eg https://images.example.com/fubar.png
We have a wildcard SSL certificate (issued from Godaddy) for *.example.com and I used the AWS Certificate Manager to upload the certificate, private key, and keychain. The upload appears to have been successful as *.example.com appears to be issued (according to the Certificate Manager).
How do I "apply" this wildcard SSL to images.example.com? If I visit CloudFront Distributions and edit the General settings to select Custom SSL Certificate I can see my *.example.com wildcard SSL. But when I try to click the Yes, Edit button I get the following error message:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: ffffffff-ffff-ffff-ffff-ffffffffffff)
What steps do I need to take to allow me to apply this Wldcard SSL cert to my cloudfront images with custom DNS name?
Cannot say for sure, but typically with issues like this your certificate chain is incorrect. You’ll need to check the certificate authority’s instructions for creating the chain (e.g. what intermediate certificates does it need).
I got the same error, and finally found out it's the the maximum size of the public key in an SSL/TLS certificate issue.
AWS CloudFront only support 2048 bits, although Certificate Manager allows you to import 4096 bit keys.
Please refer to:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-size-of-public-key.html
Especially this one: step by step
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-format
I deployed a react app to AWS recently after following this tutorial, everything is working fine except when I wanted to integrate a custom domain that I bought recently using AWS Route 53, I get an error (403).
For the integration of Route 53 with CloudFront I followed these steps in the docs as they are, I know that my problem is related to some sort of permission authority, but I don't know where exactly I did something wrong.
Solved, my problem was related to unassigned Alternate Domain Names (CNAMEs) for the CloudFront Distribution.
Adding additional information regarding the two answers above.
As described in How do I resolve the error "The request could not be satisfied. Bad Request" from Amazon CloudFront
:
This error message "The request could not be satisfied. Bad Request."
is from the client and the error can occur due to one of the following
reasons:
1) The request is initiated over HTTP, but the CloudFront distribution
is configured to allow only HTTPS requests.
2) The requested alternate domain name (CNAME) isn't associated with
the CloudFront distribution.
Solution for #1:
Open the Amazon CloudFront console -> Select the relevant distribution ->
Go Behaviors view -> Choose the behavior that matches the request and Edit ->
Then select in the Viewer Protocol Policy between the options of: HTTP and HTTPS or Redirect HTTP to HTTPS.
Solution for #2:
Since this release when you add an alternate domain name to a distribution, you must also attach a SSL/TLS certificate to that distribution that covers the alternate domain name.
So, first of all make sure that you do the following before you update your distribution to add an alternate domain name:
A) Register the domain name with domain provider (GoDadday, CloudFlare, Route 53 etc').
B) Add a certificate from an authorized certificate authority (for example - Let's Encrypt) to CloudFront that covers the domain name you plan to use with the distribution, to validate that you are authorized to use the domain.
(Read more in here).
And only then:
Open Amazon CloudFront console -> General view -> Edit -> Alternate Domain Names (CNAMEs) -> enter the CNAME that you want to associate with the CloudFront distribution (for example www or home).
Looks like you are trying http instead of https.
If you have enabled http, then it means the destination method or path cannot be reached.