We are using cloudfront to serve images with a custom domain.
http://images.example.com/fubar.png
We want to be able to access them with SSL, eg https://images.example.com/fubar.png
We have a wildcard SSL certificate (issued from Godaddy) for *.example.com and I used the AWS Certificate Manager to upload the certificate, private key, and keychain. The upload appears to have been successful as *.example.com appears to be issued (according to the Certificate Manager).
How do I "apply" this wildcard SSL to images.example.com? If I visit CloudFront Distributions and edit the General settings to select Custom SSL Certificate I can see my *.example.com wildcard SSL. But when I try to click the Yes, Edit button I get the following error message:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: ffffffff-ffff-ffff-ffff-ffffffffffff)
What steps do I need to take to allow me to apply this Wldcard SSL cert to my cloudfront images with custom DNS name?
Cannot say for sure, but typically with issues like this your certificate chain is incorrect. You’ll need to check the certificate authority’s instructions for creating the chain (e.g. what intermediate certificates does it need).
I got the same error, and finally found out it's the the maximum size of the public key in an SSL/TLS certificate issue.
AWS CloudFront only support 2048 bits, although Certificate Manager allows you to import 4096 bit keys.
Please refer to:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-size-of-public-key.html
Especially this one: step by step
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-format
Related
I am trying to create a Cloudfront distribution for a subdomain, e.g. dev.example.com. However, after adding the details for the objects origin and I enter the alternate domain names (CNAMES) section and add: dev.example.com I get the following error when I click on create distribution:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: fb305ccd-21e7-4bf8-a55c-df1304c06ac1; Proxy: null)
I am managing my domian dns through Route 53. I've created a certificate through ACM already, but the option to select a custom SSL certificate is greyed out. I've gone through the AWS Docs and couldn't find any solution so far.
This error indicates that the certificate that is attempting to be used is incorrect.
Your ACM certificate must be created in us-east-1 for a CloudFront distribution. The reason for this is that CloudFront is a global service, global services can only attach regional services that exist within us-east-1. They also will appear in CloudWatch and CloudTrail under the region of us-east-1.
It must also cover the domain you're using. In your case either dev.example.com or *.example.com must be included on your certificate.
You Have to Create the ACM certificate in us-east-1 . Did you ?
I am trying to connect CloudFlare to API Gateway
Steps followed are:
Generated certificate in Cloudflare
Imported certificate in certificate manager in AWS
Made Full Strict in Cloudflare
in API gateway, for custom domain, I gave the domain name. Selected edge optimized and selected my certificate I imported. I am getting following error
The certificate that is attached to your distribution was not issued by a trusted Certificate Authority.
For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate;
The mistake I was doing was, I was importing the certificate to the Certificate Manager. I used the .pem encoded string and imported.
What worked for me was instead of importing, I went through the " Request for certificate" process. This can be approved via DNS modification or through email approval(faster way).
The change I observed was, "Request for certificate" is AWS issued and the former is not.
Using this I generated Edge optimized custom domain which gave me a cloud front URL.
I used this to link with CNAME in my Cloudflare DNS
I'm trying to set my domain name to my website.
I went to set CNAMEs to my domain name example.com at AWS CloudFront, when I try to save the edit I'm given the following error by AWS.
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: e30a1b51-b467-4128-a88c-e758bb99f0dc)
Yes, I'm aware of Amazon CloudFront enhances the security. Which is why I have created Certificate Manager # N.Virgina for the domains I wanted (it's currently in Issued status)
However both the RadioButton and TextField are always in disabled mode, I never get to choose my Certificate. If I tap into Request or Import a certificate with ACM, it always bring me back to the same webpage for Request a certificate
What's my mistake here?
Unbelievable solution. I basically just need to re-login my AWS, both the option (RadioButton and TextField) is actually enabled.
In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)
Am I missing something? The other distribution for the top level domain is working fine with the same certificate.
Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain
That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.
Figured it out.
The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).
In my case, I created an SSL in us-east-1 (North Virginia) but I was still facing the issue and when I checked that SSL in the ACM, it was only for subdomains I forgot to add a root domain while requesting the SSL.
So whenever you want to use an ACM make sure that the SSL certificate is for the domain and subdomains (if required).
If you are using serverless, try adding certificateArn as component inputs in the serverless.yml file
your-app:
component: "#sls-next/serverless-component#latest"
inputs:
domain: ["app", "domain.com"] # [ sub-domain, domain ]
certificateArn: "arn:aws:acm:us-east-1:<id>"
Reference : https://github.com/serverless-nextjs/serverless-next.js/issues/821
I had imported a SSL certificate into AWS long time ago. It is currently installed on the ELB, and it is going to expire in 15 days. I am trying to get AWS to issue a new certificate but it is stuck waiting validation:
Currently Route53 is pointing to the ELB. If I enter "https://eyecloud.net.au" it works fine.
Now, I tried to create a CloudFront, so that I can redirect HTTP to HTTPS. But the imported SSL certificate does not show up:
I deleted the ELB, and the imported certificate becomes not in use, but it still doesn't show up on CloudFront.
There is no problem using a certificate with multiple endpoints, whether they're ELBs, ALBs, or Cloudfront distributions.
However, if you want to use an ACM cert for Cloudfront, the cert must be issued in us-east-1.
Note
To use an ACM Certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.
http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
I had a case where I already had an SSL certificate selected, and when I clicked on the dropdown it only showed the selected one.
Turns out that Amazon doesn't like UX because it is not a normal dropdown it is a "searchable" dropdown. Meaning if you have a certificate selected, it will only show that specific certificate because it is also searching it in the dropdown.
Clicking on it and deleting the name reveals the rest of the certificates.
See below examples:
UX.
Where are my certificates?
Oh...
My problem was, that I got generated a 4096 bit certificate, but Cloud Front only allows for 2048 bit certificates
CloudFront [...] with ACM support a maximum of 2048-bit RSA certificates
I created my certificate with ZeroSSL and I didn't manage to create a 2048 bit one. To do that, I installed Ubuntu on my Windows machine (needed to install the Windows Subsystem for Linux in the 'Turn Windows features on or off' section) and used Certbot for Ubuntu with this command to create a 2048 bit certificate while using dns validation:
certbot -d yourdomain -d www.yourdomain --manual --preferred-challenges dns certonly
The 4096 bit certificate didn't show up, but the new 2048 bit certificate did, after deleting the contents of the drop-down menu, like stated by #Gopgop. You can see what kind of encryption rate your certificate has when importing the certificate into AWS Certificate Manager, on the review and import page, "Public key info". If you create a new certificate with ACM, that one automatically has a 2048 bit encryption and can be used right away in Cloud Front.
I have applied the same certificate to multiple endpoints or on multiple cloudfront distributions.
Also if you notice you cannot apply the cname to mutiple endpoints as well. You can use the cname it only in one place.
Only issue I have seen is your conversion from custom certificates to ACM certificate. There could be a bug with that. You might need to file a support ticket to resolve the issue.
Hope it helps.