In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)
Am I missing something? The other distribution for the top level domain is working fine with the same certificate.
Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain
That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.
Figured it out.
The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).
In my case, I created an SSL in us-east-1 (North Virginia) but I was still facing the issue and when I checked that SSL in the ACM, it was only for subdomains I forgot to add a root domain while requesting the SSL.
So whenever you want to use an ACM make sure that the SSL certificate is for the domain and subdomains (if required).
If you are using serverless, try adding certificateArn as component inputs in the serverless.yml file
your-app:
component: "#sls-next/serverless-component#latest"
inputs:
domain: ["app", "domain.com"] # [ sub-domain, domain ]
certificateArn: "arn:aws:acm:us-east-1:<id>"
Reference : https://github.com/serverless-nextjs/serverless-next.js/issues/821
Related
I am trying to create a Cloudfront distribution for a subdomain, e.g. dev.example.com. However, after adding the details for the objects origin and I enter the alternate domain names (CNAMES) section and add: dev.example.com I get the following error when I click on create distribution:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: fb305ccd-21e7-4bf8-a55c-df1304c06ac1; Proxy: null)
I am managing my domian dns through Route 53. I've created a certificate through ACM already, but the option to select a custom SSL certificate is greyed out. I've gone through the AWS Docs and couldn't find any solution so far.
This error indicates that the certificate that is attempting to be used is incorrect.
Your ACM certificate must be created in us-east-1 for a CloudFront distribution. The reason for this is that CloudFront is a global service, global services can only attach regional services that exist within us-east-1. They also will appear in CloudWatch and CloudTrail under the region of us-east-1.
It must also cover the domain you're using. In your case either dev.example.com or *.example.com must be included on your certificate.
You Have to Create the ACM certificate in us-east-1 . Did you ?
My setup
EC2: app
Domain Registrar: namecheap
DNS: route 53
I use EC2 to host my app, AWS route 53 to direct the url, and cloudfront to fetch the static files for my app. Right now the cloudfront is using unfriendly domain *.cloudfront.net.
I am using certbot inside my EC2 to provide SSL connection.
When I tried to change cloudfront domain name, I use the Custom SSL Certificate generate by ACM (AWS certificate manager). And I encountered the error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 2d39c685-bf17-4d24-9c4b-82955daa878f; Proxy: null)
The ACM cert is generated in N.Virginia, which is fine since my EC2 is hosted there. I generated the cert using *.example.com and it is verified.
I am not sure how to fix that. Any advise?
This will be caused by an invalid domain name being used for the ACM certificate you have provisioned.
Because the ACM certificate generated is *.example.com only a 1 level deep subdomain can be used.
To explain this further:
www.example.com is a valid subdomain for the ACM certficate
foo.bar.example.com is not a valid subdomain for the ACM certficate
example.com is not valid for this ACM certficate as it is the root domain (and not referenced on the SSL).
Because it is generated in ACM, we can validate this certificate is compatiable as long as it meets the following conditions.
For the SSL to work for the root domain and subdomain it must contain both example.com and *.example.com to work correctly within CloudFront.
I'm trying to set my domain name to my website.
I went to set CNAMEs to my domain name example.com at AWS CloudFront, when I try to save the edit I'm given the following error by AWS.
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: e30a1b51-b467-4128-a88c-e758bb99f0dc)
Yes, I'm aware of Amazon CloudFront enhances the security. Which is why I have created Certificate Manager # N.Virgina for the domains I wanted (it's currently in Issued status)
However both the RadioButton and TextField are always in disabled mode, I never get to choose my Certificate. If I tap into Request or Import a certificate with ACM, it always bring me back to the same webpage for Request a certificate
What's my mistake here?
Unbelievable solution. I basically just need to re-login my AWS, both the option (RadioButton and TextField) is actually enabled.
We are using cloudfront to serve images with a custom domain.
http://images.example.com/fubar.png
We want to be able to access them with SSL, eg https://images.example.com/fubar.png
We have a wildcard SSL certificate (issued from Godaddy) for *.example.com and I used the AWS Certificate Manager to upload the certificate, private key, and keychain. The upload appears to have been successful as *.example.com appears to be issued (according to the Certificate Manager).
How do I "apply" this wildcard SSL to images.example.com? If I visit CloudFront Distributions and edit the General settings to select Custom SSL Certificate I can see my *.example.com wildcard SSL. But when I try to click the Yes, Edit button I get the following error message:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: ffffffff-ffff-ffff-ffff-ffffffffffff)
What steps do I need to take to allow me to apply this Wldcard SSL cert to my cloudfront images with custom DNS name?
Cannot say for sure, but typically with issues like this your certificate chain is incorrect. You’ll need to check the certificate authority’s instructions for creating the chain (e.g. what intermediate certificates does it need).
I got the same error, and finally found out it's the the maximum size of the public key in an SSL/TLS certificate issue.
AWS CloudFront only support 2048 bits, although Certificate Manager allows you to import 4096 bit keys.
Please refer to:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-size-of-public-key.html
Especially this one: step by step
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-format
I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB.
I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:
"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"
Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?
EDIT May 31, 2016
Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:
http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
The command I used was:
aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com
Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!
A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.
When requesting a new certificate via the console, you can now add both *.domain.com and www.domain.com, before hitting next, in the next box, make sure you request to add another domain to the certificate.