I have a certificate in IAM, registered to the hostname azb.hostname.com.
Then I have 2 cloudfront distributions, with auto hostnames, something like d727.cloudfront.net and d838.cloudfront.net.
By default the certificate provided by cloudfront does not support TLSv1.1+ so I have to assign a custom certificate. I tried to use my certificate on one of them and...it works!
What I can't understand is why the cloudfront is still available on its default hostname *.cloudfront.net: shouldn't it have become azb.hostname.com?
And can I assign the same certificate to both of them? Will they keep working?
CloudFront will be available with *.cloudfront.net even though you have added your own cert and has added your domain in Alternate domain filed, this is expected. if you don't want that , you probably need to add a WAF to read HOST header and if it's d1234xxx.cloudfront.net, block it.
You can use IAM/Cert with multiple distributions, it will not cause any problem.
Also, accessing d123.cloudfront.net supports tls1.1 and tls1.2 and I think recently, you can also restrict tls version as well.
Related
I'm following the serverless-stack guide and have a website hosted in an Amazon S3 bucket. I purchased a domain using GoDaddy and I have set up cloudfront to work with this bucket, then have used AWS certificate manager to generate SSL certificates for my domain (both www.my_domain.com and my_domain.com).
In GoDaddy I then configured DNS forwarding to point to my cloudfront resource.
This all works nicely, and if I go to my_domain.com in a browser then I see my website.
However, I can't get SSL working. If I go to the https:// version of my website then I see a not secure error in the chrome address bar which shows a certificate pointing to shortener.secureserver.net rather than my own website.
Could someone point me at a way around this? Looking through S.E. and using google it seems that Amazon's route53 might be able to help, but I can't figure out how to do this.
Thanks!
(edit) To make things more clear, this is what I see in Chrome if I connect to https://my_website.com or to https://www.my_website.com
The warning message:
The certificate details:
What I do not understand is why, after configuring an AWS certificate for my domain, I see a certificate for shortner.secureserver.com rather than a certificate for my_website.com.
Go daddy has problems and does not redirect to https, There are two ways, the first is to change domain registrar and the second is the easiest, which is: Create a hosted zone on AWS router 53 with your domain name
Create 2 type A records, one for the root (of your domain) and one for www that point to your cloudfront. Router 53 allows you to create a type A record without having an IP, because it directly points to a cloudfront instance that you indicate, that's the best
Then in go daddy it gives you the option to change name servers and puts the ones assigned by aws in hosted zone with the record that says NS and you put those 4 in Godaddy, replacing the ones that had
Note: SAVE THE NAME SERVERS THAT YOU HAVE IN GO DADDY BEFORE REPLACING THEM, IN CASE YOU HAVE ANY PROBLEM, YOU CAN REPLACE THEM AGAIN
You have to wait at least a few hours until all the name servers are updated, you can use the who.is page to see if the DNS have already been updated with those of aws.
It turns out that this is not possible with GoDaddy. If anyone else reading this has a similar problem, only current solution is to cancel your domain registration and register with someone else.
(edit) As #aavrug mentions in their comment, Amazon now have a guide for this.
When you defined your CloudFront you can defined whether you want to use, and you can choose HTTPS only. In this case HTTP requests will be automatically redirected to HTTPS. Have in mind CloudFront changes may take a while to be replicated and your browser cache it as well, so the best way is to make a change, wait for the deployment and then check it in a new cognito browser.
It goes without saying that your certificate must be valid and verified as well.
It might be something wrong with your certificate or with your domain.
If you serving your content over HTTPS you must provide a SSL Certificate in Cloudfront. Have you done that?
Have you added your domain on Alternative Domain Names (CNAMEs)?
Please have a look on the image below:
-> AWS provides Free SSL Certificates to be used with Cloudfront, so you might want to use it (easier than you import your SSL from go daddy).
You can create a free SSL certificate on AWS and easily attach it to your cloudfront distribution.
-> You can also transfer your domains to AWS Route53. It is easy to integrate with any AWS Service and easy to use/maintain :)
I wrote a complete guide on my blog telling how you can add Custom SSL and attach custom domain to Cloudfront distribution, it might be useful :)
https://lucasfsantos.com/posts/deploy-react-angular-cloudfront/
I set up AWS cloudfront to work as a CDN to host some files for my site.
When I use the cloudfront integration – it works in HTTP and HTTPS.
When I use the custom domain – it only works in HTTP.
So, using dummy examples, here's what I mean:
http://www.12345.cloudfront.net/file - Works fine
https://www.12345.cloudfront.net/file - Works fine
http://www.cdn.domainname.com/file - Works fine
https://www.cdn.domainname.com/file - Prompts an insecure site warning message in browsers
I created a custom domain SSL certificate within AWS for cdn.domainname.com--as I thought that would remedy the issue. And, I added that to the cloudfront distribution, but this doesn't seem to have changed anything.
custom SSL certificates for Cloudfront have a different set of requirements than for ELB. You may need to issue a different certificate; also, it used to be that you had to import the certificate in US-East to use it in Cloudfront, not sure if that's still the case.
See details here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-aws-region
and:
https://aws.amazon.com/premiumsupport/knowledge-center/custom-ssl-certificate-cloudfront/
UPDATE: I was able to fix this issue by adding both cdn.domainname.com and www.cdn.domainname.com to the SSL certificate.
I have a CloudFront distribution which I'm using to serve static files (images etc) on my website. As of today it uses the default foo.cloudfront.net domain (with Amazon's free, built-in SSL certificate).
I want to switch this distribution over to a "real" domain that's part of my site (eg. media.mysite.com). As soon I make this change in CloudFront (eg. switch from its Default CloudFront Certificate to my own *.mysite.com cert), will this break my existing files being served over https://foo.cloudfront.net?
If this is the case then I'll need to somehow switch all the image sources on my site over to the new domain at the same time as enabling the custom SSL certificate for the distribution, which will be tricky.
On the other hand, reading the docs suggests that CloudFront might be doing some work to determine which certificate to use:
CloudFront uses the IP address to identify your distribution and to determine which SSL/TLS certificate to return to the viewer.
... possibly?
Does anyone have any experience with this sort of changeover, or is there a better way to switch domains without having to change a non-trivial amount of URL references simultaneously?
If I understood the concern,
Your CloudFront URL https://foo.cloudfront.net will work after a switch to media.mysite.com.
All you need to do is add a CNAME foo.cloudfront.net to domain media.mysite.com & define media.mysite.com as CNAME in cloudfront distribution settings. Also, add your cutom SSL certificate to the distribution.
No, it won't break any of your contents until & unless you have hardcoded some dependency to the Cloudfront URL. Such as the requests Origin should be the Cloudfront URL etc.
CloudFront uses the IP address to identify your distribution and to determine which SSL/TLS certificate to return to the viewer.
Answer -
This happens only if you have opted for Dedicated IP which means you want to serve all the users including the clients which doesn't support SNI.
Below is what happens when you use SNI & not a dedicated IP -
When CloudFront receives the request, it finds the domain name in the request header and responds to the request with the applicable SSL/TLS certificate.
I guess you have not opted for a dedicated IP.
PS - I did this yesterday & it went smooth. It takes some time for Cloudfront deployment on Edge locations, be patient. Hope this helps!
I have tried setting up a static hosting solution for our web platform by using AWS S3 and CloudFront. It is required to use https, and it needs to be accessed via a custom subdomain.
This is my S3 bucket:
These are the settings for the CloudFront:
The certificate settings look ok to me:
And finally my DNS record is like this:
CNAME: "static" -> "d1fd407fp9coo4.cloudfront.net."
edit: using my default domain provider for DNS, not Route 53.
The aim is to have the resource available at static.dmaglobal.com/logo-frontpage.png via https. It loads fine without (http://static.dmaglobal.com/logo-frontpage.png), but the https-version (https://static.dmaglobal.com/logo-frontpage.png) gives an SSL-error stating the current certificate is for *.s3.eu-west-2.amazonaws.com instead of *.dmaglobal.com. I do not understand where this mismatch comes from, as it seems like the current certificate is correctly set up for our custom domain.
Anyone able to give some pointers on how to proceed from here with this issue?
As you have noticed your DNS record resolves to S3 still.
Instead of CNAME you should create an ALIAS record to Cloudfront distribution. In static record pick A type record, check Yes for Alias and pick the Cloudfront distribution on the dropdown.
The reason for this: ALIAS records are free of charge and they resolve faster.
To answer my own question: In the end, it was the proper CNAME value that had not propagated properly yet (as it was initially pointing to S3 before I was aware that CloudFront was required for SSL). As soon as it was, the settings in the OP worked perfectly.
I am trying to point both https://app.test1.com and https://app.test2.com to a aws cloudfront distribution.
Does anyone how how to do it? I am unable to figure out how to add both domains and also both the SSL certs to a single cloud front distribution
You can only attach 1 one certificate to each CloudFront distribution. If multiple domains is what you want, you need a single certificate with all the desired hostnames listed as Subject Alternative Names. Many SSL CAs will sell you a cert like this, sometimes called multi-domain, SAN, or UC certificates. You can also get one from Amazon Certificate Manager.
You add additional hostnames to your distribution the same way you added the first one: configure alternate domain names. Simply using DNS CNAME records isn't enough, becaue CloudFront has to expect the hostname on the incoming request.