AWS Certificate manager isn't allowing me to add a 2 level wildcard domain name, which would match x.a.example.com, y.b.example.com etc.
Is there a workaround for this? (instead of creating *.a.example.com, *.b.example.com etc)
Source: http://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
Wildcard Names ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can
protect several sites in the same domain. For example, *.example.com
protects www.example.com and images.example.com.
Note: When you request a wildcard certificate, the asterisk (*) must
be in the leftmost position of the domain name and can protect only
one subdomain level. For example, *.example.com can protect
login.example.com and test.example.com, but it cannot protect
test.login.example.com. Also note that *.example.com protects only the
subdomains of example.com, it does not protect the bare or apex domain
(example.com). However, you can request a certificate that protects a
bare or apex domain and its subdomains by specifying multiple domain
names in your request. For example, you can request a certificate that
protects example.com and *.example.com.
Unfortunately this is not possible/supported.
You can have Subject Alternative Names or SANs in the certificate for named domains: https://geekflare.com/san-ssl-certificate/
Certificate Signing Request or CSR generation would be something like this:
openssl req -new -key my.key -out my.csr -subj "/CN=*.domain.com" -addext "subjectAltName=DNS:one.complex.domain.com,DNS:completely.another.domain.com"
More details here: https://stackoverflow.com/a/16127802/339052
For those who are having issues for multiple sub domain in their certificate.
Source: https://aws.amazon.com/premiumsupport/knowledge-center/associate-ssl-certificates-cloudfront/
You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards. To enable SSL or HTTPS for multiple domains served through one CloudFront distribution, assign a certificate from ACM that includes all the required domains.
To use your own SSL certificate for multiple domain names with CloudFront, import your certificate into ACM or the AWS Identity and Access Management (IAM) certificate store. For instructions, see Importing an SSL/TLS Certificate.
Related
I have a cloudfront distribution that I want to serve the following domains & I am trying to list as CNAMEs:
domain.com
www.domains.com
domain.ca
www.domain.ca
Now my certificate has *.domain.com and *.domain.ca and is approved.
But when I tried to add either "domain.com" or "domain.ca" to my cloudfront CNAMEs, I get this error.
Why do I get this?
ViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add.
Wildcard certificate *.domain.ca does not cover domain.ca. Same case for domain.com. You need to re-issue your certificate to include both the wildcards and the domain.com and domain.ca. From docs:
Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com). However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects example.com and *.example.com.
SSL Certificate is already enabled on my main domain but now I want to enable SSL on my subdomain too, So how can I enable on my subdomain, I am using AWS services.
If you're wanting to generate an SSL for your subdomain you will need to go through the ACM process again in the region(s) you're operating in.
When you specify the domain for the certificate you can either specify an absolute subdomain (foo.example.com) or specify a wildcard domain (*.example.com).
Once you have specified this you will need to go through the standard validation approach to have the certificate approved.
As an additional point going forward, AWS supports adding multiple domains to a single certificate so you could add the root domain (example.com) and the wildcard subdomain (*.example.com) to the same certificate which would allow you to use the same certificate.
No, it is not possible to edit an existing certificate to add more domains or a sub-domain of an already existing domain on an ACM certificate.
In case you wish to obtain a certificate for a new domain or sub-domain you can either have two separate certificates for the domain and sub-domain or delete the older certificate and request a new certificate with both the domain and sub-domain on the certificate.
A single certificate can hold domain.com & *.domain.com. Also the same certificate can also have domain1.com & *.domain1.com
Source https://forums.aws.amazon.com/thread.jspa?messageID=931119
When I try to add an apex domain to cloudfront Alternate Domain Names list, it throws the following error:
Cloudfront error
I know my configuration works, because I am able to use the same domain with www as subdomain without any problem: Cloudfront config
And I'm sure route53 is not the problem, because I can create the Alias Record with no problem pointing to my CloudFront Distribution, but if Cloudfront doesn't let me add the Apex Domain on its list, it will reject and request.
Note: an apex domain is an URL without the subdomain part, i.e. domain.io
The error you get is probably because your certificate in ACM has been registered for www.domain.io or *.domain.io. Such certificate does not cover the apex domain domain.io. From the AWS documentation:
When you request a wildcard certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com). However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects example.com and *.example.com
Typical soltuion is to create a new cerficate for both domains, *.domain.io and domain.io, or both www.domain.io and domain.io.
AWS API gateway refuses to allow me to associate a custom domain to a certificate. However, it allowed me to associated the certificate just fine to another domain. The certificate is a wildcard cert. A picture is worth a thousand words:
On April 2019, There is some enhancement for CloudFront about the security for adding alternate domain names to a distribution.
It seems that the self-signed certificate is not allowed after the enhancement.
Amazon CloudFront enhances the security for adding alternate domain names to a distribution
The certificate must be valid and come from a publicly trusted Certificate Authority like AWS Certificate Manager which provides public SSL/TLS certificates for free.
I am looking for some advice as how to most cost efficiently setup SSL for a subdomain e.g https://images.example.com.
Images are hosted in AWS S3 and I have a cloudfront distribution pointing to that bucket.
I have purchased a single domain SSL cert from Comodo and successfully added it to my cloudfront distribution. That part was easy as pie.
However, when loading images on the subdomain I get a "Not secure / certificate invalid" in the browser bar.
Is this because I require a wildcard SSL cert?
I have not tested that the SSL cert works on the main domain. Reason being there is currently a production site that I don't want to interfere with.
Before I rush out and purchase a much more expensive wildcard SSL cert, I want to make sure it is required.
I have a single subdomain for image hosting. I don't expect to ever ad more subdomains. What if I just purchase two single domain certs?
What are my options?
Try using ACM (https://aws.amazon.com/certificate-manager/ ) to issue an AWS issued wildcard certificate for your domain and use that instead?
As to why your existing cert won't work - does it have the domain in the cert (eg images.domain.com) as either the primary domain or as a SAN? If not, it won't work.
If you don't want to use a wildcard, you can use an ACM cert (or a cert you purchase from somewhere else) and issue it for the domain subdomain only? You don't have to use a wildcard but from a cost point of view if you are purchasing them, its often more cost-effective (although there are of course security concerns to consider). If you are using ACM, the certs are free - either domain specific or wildcard.