I deployed a react app to AWS recently after following this tutorial, everything is working fine except when I wanted to integrate a custom domain that I bought recently using AWS Route 53, I get an error (403).
For the integration of Route 53 with CloudFront I followed these steps in the docs as they are, I know that my problem is related to some sort of permission authority, but I don't know where exactly I did something wrong.
Solved, my problem was related to unassigned Alternate Domain Names (CNAMEs) for the CloudFront Distribution.
Adding additional information regarding the two answers above.
As described in How do I resolve the error "The request could not be satisfied. Bad Request" from Amazon CloudFront
:
This error message "The request could not be satisfied. Bad Request."
is from the client and the error can occur due to one of the following
reasons:
1) The request is initiated over HTTP, but the CloudFront distribution
is configured to allow only HTTPS requests.
2) The requested alternate domain name (CNAME) isn't associated with
the CloudFront distribution.
Solution for #1:
Open the Amazon CloudFront console -> Select the relevant distribution ->
Go Behaviors view -> Choose the behavior that matches the request and Edit ->
Then select in the Viewer Protocol Policy between the options of: HTTP and HTTPS or Redirect HTTP to HTTPS.
Solution for #2:
Since this release when you add an alternate domain name to a distribution, you must also attach a SSL/TLS certificate to that distribution that covers the alternate domain name.
So, first of all make sure that you do the following before you update your distribution to add an alternate domain name:
A) Register the domain name with domain provider (GoDadday, CloudFlare, Route 53 etc').
B) Add a certificate from an authorized certificate authority (for example - Let's Encrypt) to CloudFront that covers the domain name you plan to use with the distribution, to validate that you are authorized to use the domain.
(Read more in here).
And only then:
Open Amazon CloudFront console -> General view -> Edit -> Alternate Domain Names (CNAMEs) -> enter the CNAME that you want to associate with the CloudFront distribution (for example www or home).
Looks like you are trying http instead of https.
If you have enabled http, then it means the destination method or path cannot be reached.
Related
Similarly to other stacks, I have hosted a website using AWS services:
Registered domain on Route 53 (example.net)
Content is hosted on an S3 bucket
Got an SSL certificate using AWS Certificate Manager
Created a CloudFront distribution, pointed it to S3 and connected it to my domain with Route 53.
All of this works except for an issue at what seems to be the final hurdle. When I enter my domain url into the search bar, example.net, the connection isn't secure by default. I've illustrated the problem here.
I'm relatively new to hosting and can't find a solution relating to this. My thoughts are that I'm missing some Cloudfront or Route 53 configuration, since another thing that doesn't work is connecting via www (I don't care about that issue as much). Any input is appreciated.
By default enabling HTTPS on a website doesn't disable HTTP. They are both available, on separate ports. That's why you have to type https:// in the browser's address bar to go directly to the HTTPS version of your website. You can get CloudFront to redirect all HTTP requests to HTTPS by following this guide.
I have a site example.com that lives on S3. I have set up HTTP -> HTTPS forwarding successfully for this site.
I also have a subdomain, blog.example.me that also lives on S3, which I want to enable SSL with. Right now, it only supports HTTP. I am using Route 53 for routing and Cloudfront as a CDN.
I have looked for documentation on this issue, but have yet to find something that works. Do I have to create a new certificate, or can I use the same cert that example.com uses? If I can use the same certificate, which piece of AWS should I start with?
For the certificate it depends if its a wildcard certificate that covers the whole domain example of a wildcard certificate would be *.example.com the you can use the same certificate for your sub domain(s)
A typical hosted secured site with S3 and Cloudfront would follow the following steps
Create an S3 Bucket
Bucket name - your domain name
Select your bucket, go to Properties -> Static Website Hosting, then Enable
Website Hosting
Grant public read access to allow cloudfront to read from your bucket.
Get SSL certficate/ Use existing if applies
AWS provides free SSL certificates, which work with browsers that support SNI. You can import your own SSL certificate.
CloudFront configuration
Create a new Web distribution. Under Origin Settings, use the Endpoint
you copied from your S3 bucket’s static hosting setup. Many other
guides instruct this without explaining why — this is because if you
have redirect rules configured with your S3 bucket and you specify the
internal AWS S3 resource, the redirects will no longer work.
Therefore, you must specify the website endpoint domain to ensure
redirection functionality works.
Under Default Cache Behavior Settings, it’s worth selecting Redirect
HTTP to HTTPS and narrowing down the Allowed HTTP Methods — for a
static website, GET and HEAD will do.
Under cloudfront distribution settings configure:
Set your domain names under Alternate Domain Names (yourdomain.com,
and optionally, www.yourdomain.com)
Configure SSL by selecting Custom SSL Certificate, then choosing the
certificate generated or imported in to Certificate Manager.
Finally, specify the Default Root Object. This should match your S3
bucket’s Index Document, usually index.html. This is simply where all
requests are redirected to when a client requests your website URL
without a path
Route 53 configuration:
Head over to hosted zones
Select the hosted zone for the domain or subdomain you wish to use
Create a record for your site: select Alias and in the dropdown you should see your cloudfront distribution, select it as your alias target and save it.
For more detailed info check: https://medium.com/#willmorgan/moving-a-static-website-to-aws-s3-cloudfront-with-https-1fdd95563106
1.I have a domain purchased through godaddy. I have set custom DNS and added 4 name servers generated by the hosted zone in AWS Route 53. DNS lookup through whois.net shows the correct values.
2.In Route 53, I have added an A record to the Alias Target xxxxxxxxxxxxxx.cloudfront.net. So the traffic hits Route 53 and goes to CloudFront.
3.In CloudFront, I have one distribution. As Alternate Domain Names (CNAMEs), I have the following values:
*.domain.com / www.domain.com / domain.com
Under origins, I have one record with the following Origin Domain Name:
domain.com.s3-website.az-name-1.amazonaws.com
4.I am hosting website in an S3 bucket. All HTTP requests are set to redirect to HTTPS.
5.Lastly, I have created (US East (N. Virginia) region) and verified a single certificate for the following domain names: domain.com, www.domain.com, *.domain.com
I have read some answers that I should just wait and the custom SSL certificate option will become enabled. It's been more than day now, however, and there is no sign of that happening.
My website works in http mode, but not in https url. Any solution ...Please help...
PS. I am new to aws, please help me...
HTTPS settings was working perfectly as cloudfront url was working as expected so I realized it was just a DNS issue. All it took was an TYPE A record pointing to it.
Solution :
Add/edit proper "TYPE A" record with "Alias Target" as a cloudfront url.
Credit : Setup AWS S3 static website hosting using SSL (ACM)
Can you confirm whether you have used ACM to generate the SSL certificate? Or you are using SSL certificate from other vendors?
STEP 1:
If you have generated the SSL Certificate from ACM, please make sure you did that with US East (N. Virginia) region. Because, CloudFront being an AWS service which is not tied to any specific region, it will use the certificates from US East region only.
STEP 2:
1. Use the "Request or Import a certificate" option in CloudFront
2. Select the certificate which you generated
3. Complete the setup and try
If everything else is setup fine, you should be able to access the contents with HTTPS after the above step.
Let me know in case it didn't work
For anyone else coming across this issue, the button was greyed out for me also and YES, I had requested the ACM cert in us-east-1.
The fix was to try in the Edge browser instead of Chrome.
For me the solution was very simple... I failed to add "Alternate Domain Name", once I did everything clicked.
I have decided to switch to HTTPS for my Github pages custom domain, to do so I have followed this tutorial step by step. Namely:
Requested for an SSL in AWS Certificate Manager
Created a CloudFront distribution
Changed my DNS A Record to an alias to that distribution
But for some reason, when accessing christopherkade.com the URL follows the default root object I have set in the distribution (christopherkade.com/index.html) and Firefox gives me the following error The page isn’t redirecting properly and Chrome christopherkade.com redirected you too many times..
Here are my DNS records:
My page is hosted on this repository.
Did I forget something?
I have found a solution, but it required a change in the service used to deliver HTTPS. I sum it up here, but in short:
I now use Cloudflare as my DNS and changed my nameservers on AWS Route 53 to the ones given by Cloudflare after setting up my website.
As you can see christopherkade.com is now served in HTTPS.
I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.
UPDATE
I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?
UPDATE2
I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:
curl -L -i -v https://sub.mydomain.com/
NOTE: It seems this method doesn't work anymore as AWS now only accepts certificates from certain authorities. I haven't tested it myself, but the answer by Gunar looks promising.
There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:
API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.
There is a solution, however. Here are the steps that I followed when I recently set this up:
Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.
That's it. Enjoy your new highly available API served from your custom domain!
Set up Amazon's API Gateway Custom Domain with CloudFlare
In your AWS management console go to the API Gateway service and select Custom Domain Names from the left menu.
Click the Create button.
Log into CloudFlare, select your domain and open the Crypto tab
Go to SSL and set your SSL mode to "Full (Strict)" to avoid a redirect loop.
Go to Origin Certificates and click Create Certificate
Let CloudFlare generate a private key and a CSR and choose RSA as the private key type
Make sure that the hostname for your custom API domain is covered. (e.g. api.mydomain.com. You can specifically configure this custom domain or use a wildcard such as *.mydomain.com as is configured by default.
Pick PEM as the key format which is selected by default.
In AWS switch to region US-EAST-1 and goto the Certificate Manager.
Click Import a Certificate.
Copy the certificate body from your CloudFlare certificate to Certificate body to the configuration of the custom domain in the AWS Management Console.
Copy the Private key to the certificate private key field in the console
In the certificate chain copy the Cloudflare Origin CA - RSA Root which can be found here.
Enter your custom domain name in the AWS console and a name for your certificate
Now the custom domain name will be created in AWS CloudFront. It can take up to an hour before the domain becomes active.
The next thing you need to do is set up the mappings of the custom domain in the AWS Console.
The final step is to create a new CNAME Record in CloudFlare to link your domain to the CloudFront url. When you open the settings page of your custom domain in the AWS console copy the Distribution domain name. This is the domain you need to use when creating the new CNAME Record.
Source
I couldn't get any of the other answers to work. So I ended up having AWS generate the certificate instead of using a Cloudflare Origin one. That's because AWS wouldn't accept my Cloudflare certificate, even when the chain was provided. I couldn't see Cloudflare in Mozilla's Certificate Authority list (which is what AWS relies on, according to the docs) so I guess that makes sense.
Here's the outline of my solution:
Create AWS Route53 Zone
Create AWS ACM Certificate (must be in us-east-1) with validation method DNS
Create Cloudflare DNS Record with the output of (2)
Create AWS API Gateway Domain Name
Create Cloudflare DNS CNAME Record pointing '#' (root domain) to the Cloudfront domain name from step (4)
Create AWS API Gateway Base Path Mapping
This should be roughly it. May this help someone. Feel free to ask questions.
Both existing answers to this question are correct, but if the issue still persists even after following these directions perfectly, try going into the API Gateway settings, navigate to "Custom Domain Name" and configure the Base Path Mappings.
This was the missing step that solved all my problems.