I'm creating a CloudFront distribution for an S3 bucket. I successfully created it and mapped the DNS. Now I want to use HTTPS for the DNS.
I created a cert via ACM. But the cert is not appearing in the CloudFront Custom SSL pge.
Any ideas why?
I was able to accomplish the task, however, this is not the answer to the question.
I pasted the certificate ARN to the Custom SSL field and updated the CloudFront distribution. By this way, I was able to add SSL to my custom domain. However, my certificate still not appears in the Drop down menu.
Pls verify whether the certificate is created in us-east-1 region. Cloud front can use certificates that are created in that specific region.
Related
As part of my infrastructure I need to upload a certificate to acm from my own certificate authority. Uploading it using the aws acm import-certificate command works fine the main difference between this cert and the amazon issued ones that are already on there being that it doesn't have a value for the domain name field.
The problem comes when I want to list the certificates in the acm to check if the certificate I uploaded is present or not at a later time. When I run aws acm list-certificates the cert I uploaded is not present in the result.
From the docs:
Default filtering returns only RSA_1024 and RSA_2048 certificates that have at least one domain.
My cert is RSA_2048. Therefore, I think that when I use aws acm list-certificates that the certificate I uploaded is being filtered out of the result as it does not have a domain name.
Having read through the linked documentation page a couple times now I can't see a way to configure the filtering not to filter on the domain name field.
Is it possible to get list-certificates to return a certificate where the certificate doesn't have a domain name?
I am very new to this and struggling to understand AWS.
I had a single domain foo.mydomain.com. This was registered in Route53. And there was a certificate in AWS Certificate Manager that mapped to it.
Now I have two domains foo.mydomain.com & bar.mydomain.com. I have registered the latter in Route53. And I have requrested and received a new certificate from AWS Certificate Manager. This one maps to both domains (via the "additional names" property).
How can I simply disable the old certificate and enable the new certificate?
I want the values for In use? above to be swapped.
You need to go to the services where you are utilizing these certificates (Load Balancers, CloudFront distributions or API Gateways) and change the certificate they are using there.
AWS Certificate Manager manages the SSL/TLS certificates. In general certificates are configured and consumed on the services like ALB (application load balancer), API Gateway, Virtual Machine, Cloudfront etc. If you would like to update the certificate, modify the configuration on one of the above services as applicable in your case. While changing configuration you have to choose the right certificate from ACM. Once update is successful you will see the status in ACM.
Here is an AWS documentation explains how to install/Update SSL Certificates:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html
I had imported a SSL certificate into AWS long time ago. It is currently installed on the ELB, and it is going to expire in 15 days. I am trying to get AWS to issue a new certificate but it is stuck waiting validation:
Currently Route53 is pointing to the ELB. If I enter "https://eyecloud.net.au" it works fine.
Now, I tried to create a CloudFront, so that I can redirect HTTP to HTTPS. But the imported SSL certificate does not show up:
I deleted the ELB, and the imported certificate becomes not in use, but it still doesn't show up on CloudFront.
There is no problem using a certificate with multiple endpoints, whether they're ELBs, ALBs, or Cloudfront distributions.
However, if you want to use an ACM cert for Cloudfront, the cert must be issued in us-east-1.
Note
To use an ACM Certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.
http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
I had a case where I already had an SSL certificate selected, and when I clicked on the dropdown it only showed the selected one.
Turns out that Amazon doesn't like UX because it is not a normal dropdown it is a "searchable" dropdown. Meaning if you have a certificate selected, it will only show that specific certificate because it is also searching it in the dropdown.
Clicking on it and deleting the name reveals the rest of the certificates.
See below examples:
UX.
Where are my certificates?
Oh...
My problem was, that I got generated a 4096 bit certificate, but Cloud Front only allows for 2048 bit certificates
CloudFront [...] with ACM support a maximum of 2048-bit RSA certificates
I created my certificate with ZeroSSL and I didn't manage to create a 2048 bit one. To do that, I installed Ubuntu on my Windows machine (needed to install the Windows Subsystem for Linux in the 'Turn Windows features on or off' section) and used Certbot for Ubuntu with this command to create a 2048 bit certificate while using dns validation:
certbot -d yourdomain -d www.yourdomain --manual --preferred-challenges dns certonly
The 4096 bit certificate didn't show up, but the new 2048 bit certificate did, after deleting the contents of the drop-down menu, like stated by #Gopgop. You can see what kind of encryption rate your certificate has when importing the certificate into AWS Certificate Manager, on the review and import page, "Public key info". If you create a new certificate with ACM, that one automatically has a 2048 bit encryption and can be used right away in Cloud Front.
I have applied the same certificate to multiple endpoints or on multiple cloudfront distributions.
Also if you notice you cannot apply the cname to mutiple endpoints as well. You can use the cname it only in one place.
Only issue I have seen is your conversion from custom certificates to ACM certificate. There could be a bug with that. You might need to file a support ticket to resolve the issue.
Hope it helps.
I am creating a SSL certificate for my amazon S3 static website. I created a SSL certificate using Certificate Manager for my domain and its status is 'Issued'. I am creating a CloudFront Distribution, but the Custom SSL Certificate option is disabled.
Will it take some time (a day or more) before I can see my custom SSL certificate? Or am I doing something wrong?
Certificates that will be used with an Application Load Balancer (ELB/2.0) need to be created in ACM in the same region as the balancer.
Certificates that will be used with CloudFront always need to be created in us-east-1.
To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
– http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
The reason for this is that CloudFront doesn't follow the regional boundary model in AWS. CloudFront edge locations are all over the globe, but are configured and managed out of us-east-1 -- think of it as CloudFront's home region. Once a distribution reaches the Deployed state, it is not operationally dependent on us-east-1, but during provisioning, everything originates from that region, so that's the only ACM region that CloudFront can access.
I was getting this exact behavior but with the certificated correctly imported at us-east-1 and figured out that the problem was the key size of my certificate (4096 bits).
AWS CloudFront only accept keys up to 2048 bits, as stated here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-size-of-public-key
Size of the Public Key
The length of the public key for a certificate depends on where you're storing it.
Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.
Uploading a certificate to the AWS Identity and Access Management (IAM) certificate store: maximum size of the public key is 2048 bits.
We recommend using 2048 bits.
When replacing a cert, make sure you clear out the name of the existing cert in the 'Custom SSL Certificate (example.com)' text box. If you leave it uncleared, other certs are not selectable.
Had thesame experience while trying to create a cloudFront distribution. I initially created the certificate in the us-west-2 region but the checkbox was greyed out. What resolved it was creating the certificate in the us-east-1 region. Checkbox immediately became selectable.
I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.
UPDATE
I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?
UPDATE2
I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:
curl -L -i -v https://sub.mydomain.com/
NOTE: It seems this method doesn't work anymore as AWS now only accepts certificates from certain authorities. I haven't tested it myself, but the answer by Gunar looks promising.
There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:
API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.
There is a solution, however. Here are the steps that I followed when I recently set this up:
Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.
That's it. Enjoy your new highly available API served from your custom domain!
Set up Amazon's API Gateway Custom Domain with CloudFlare
In your AWS management console go to the API Gateway service and select Custom Domain Names from the left menu.
Click the Create button.
Log into CloudFlare, select your domain and open the Crypto tab
Go to SSL and set your SSL mode to "Full (Strict)" to avoid a redirect loop.
Go to Origin Certificates and click Create Certificate
Let CloudFlare generate a private key and a CSR and choose RSA as the private key type
Make sure that the hostname for your custom API domain is covered. (e.g. api.mydomain.com. You can specifically configure this custom domain or use a wildcard such as *.mydomain.com as is configured by default.
Pick PEM as the key format which is selected by default.
In AWS switch to region US-EAST-1 and goto the Certificate Manager.
Click Import a Certificate.
Copy the certificate body from your CloudFlare certificate to Certificate body to the configuration of the custom domain in the AWS Management Console.
Copy the Private key to the certificate private key field in the console
In the certificate chain copy the Cloudflare Origin CA - RSA Root which can be found here.
Enter your custom domain name in the AWS console and a name for your certificate
Now the custom domain name will be created in AWS CloudFront. It can take up to an hour before the domain becomes active.
The next thing you need to do is set up the mappings of the custom domain in the AWS Console.
The final step is to create a new CNAME Record in CloudFlare to link your domain to the CloudFront url. When you open the settings page of your custom domain in the AWS console copy the Distribution domain name. This is the domain you need to use when creating the new CNAME Record.
Source
I couldn't get any of the other answers to work. So I ended up having AWS generate the certificate instead of using a Cloudflare Origin one. That's because AWS wouldn't accept my Cloudflare certificate, even when the chain was provided. I couldn't see Cloudflare in Mozilla's Certificate Authority list (which is what AWS relies on, according to the docs) so I guess that makes sense.
Here's the outline of my solution:
Create AWS Route53 Zone
Create AWS ACM Certificate (must be in us-east-1) with validation method DNS
Create Cloudflare DNS Record with the output of (2)
Create AWS API Gateway Domain Name
Create Cloudflare DNS CNAME Record pointing '#' (root domain) to the Cloudfront domain name from step (4)
Create AWS API Gateway Base Path Mapping
This should be roughly it. May this help someone. Feel free to ask questions.
Both existing answers to this question are correct, but if the issue still persists even after following these directions perfectly, try going into the API Gateway settings, navigate to "Custom Domain Name" and configure the Base Path Mappings.
This was the missing step that solved all my problems.