So, I am trying to get the SSL certificate to show up on my website but even after following all the steps from the aws documentation and various internet tutorials. The SSL lock sign is still not visible up on my website.
I found this website really helpful and tried to follow all the steps listed there : https://blog.webinista.com/2016/02/enable-https-cloudfront-certificate-manager-s3/index.html
What I think the problem is that I am not quite certain how to reconfigure the DNS server after creating the cloudfront distribution. In this instance, I just created an alias target for my domain name (shamveelahammed.com) to point towards the cloudfront distribution. But this hasn't worked at all for me. At the moment, I only have 4 entries in my domain record set.
https://www.dropbox.com/s/5g2nkyxip1c22oo/Screen%20Shot%202017-07-05%20at%2002.05.31.png?dl=0
Any help with figuring out my next steps will be massively appreciated. (N.B I am very new to this and still learning how to use AWS.)
As you have restricted bucket access when creating cloudfront .So you dont need the additional alias record for s3 in Route53. you have to generate certificate for both domains www.shamveelahammed.com and shamveelahammed.com OR you can generate wildcard certificate for your domain as *.shamveelahammed.com .
In your case it seems you have generated certificate only for www.shamveelahammed.com Domain only.
Well, thanks for all the helpful answers. I managed to find a work around to solve the issue I was having.
I generated a new certificate for the domain www.shamveelahammed.com .
Created a target alias for cloud distribution pointed towards www.shamveelahammed.com .
And finally, redirected all the requests made in www.shamveelahammed.com in s3 bucket to shamveelahammed.com.
This fixed my problem. Hope this helps...
DNS isn't the issue.
In CloudFront, each Cache Behavior needs its Viewer Protocol Policy configured for Redirect HTTP to HTTPS.
Related
Good Afternoon,
I have followed a few tutorials on this topic and I have researched to see what I may be missing, but so far I haven't come up with anything. I'm sure it's a simple fix I just need a bit of help.
So I have the domain brandonkjones.dev that I purchased through Google Domains and I am trying to forward it to a static page hosted on S3. I created the hosted zone in Route 52 with the name brandonkjones.dev.
and I changed the Google Domain name servers to match those generated by the hosted zone.
I also added the additional records to forward the subdomain www to the root domain.
and Finally, I added the CNAME entry to the custom resource records on Google.
I'm sure this tutorial left off a step and I'm missing something because the original tutorial didn't even mention adding the CNAM resource within Google. Any help is greatly appreciated.
I had this same issue, tried with multiple browsers and triple checked that I'd done all the Route 53 and Google Domains steps correctly to no avail. Then I opened my terminal and tried:
curl http://my-domain.dev
and it returned my index.html that I uploaded to my S3 bucket, meaning I'd done everything correctly, but my browser wouldn't let me access the website over HTTP. In my devtools network tab, I could see that even if I explicitly typed in http://my-domain.dev it would do a 307 internal redirect to https://my-domain.dev. This is a security feature that browsers have to keep users from navigating to insecure sites over http.
Since the tutorials I followed for setting up S3 static hosting with a custom domain registered on Google Domains did not setup any SSL certificates for enabling HTTPS, the only way I could access my website was over HTTP. One way to fix this issue is to turn off HSTS as outlined here. Or, you could use something like AWS CloudFront to serve your S3 site over https, which you'll probably want to do if you want other people to access your site without this issue.
I'm following the serverless-stack guide and have a website hosted in an Amazon S3 bucket. I purchased a domain using GoDaddy and I have set up cloudfront to work with this bucket, then have used AWS certificate manager to generate SSL certificates for my domain (both www.my_domain.com and my_domain.com).
In GoDaddy I then configured DNS forwarding to point to my cloudfront resource.
This all works nicely, and if I go to my_domain.com in a browser then I see my website.
However, I can't get SSL working. If I go to the https:// version of my website then I see a not secure error in the chrome address bar which shows a certificate pointing to shortener.secureserver.net rather than my own website.
Could someone point me at a way around this? Looking through S.E. and using google it seems that Amazon's route53 might be able to help, but I can't figure out how to do this.
Thanks!
(edit) To make things more clear, this is what I see in Chrome if I connect to https://my_website.com or to https://www.my_website.com
The warning message:
The certificate details:
What I do not understand is why, after configuring an AWS certificate for my domain, I see a certificate for shortner.secureserver.com rather than a certificate for my_website.com.
Go daddy has problems and does not redirect to https, There are two ways, the first is to change domain registrar and the second is the easiest, which is: Create a hosted zone on AWS router 53 with your domain name
Create 2 type A records, one for the root (of your domain) and one for www that point to your cloudfront. Router 53 allows you to create a type A record without having an IP, because it directly points to a cloudfront instance that you indicate, that's the best
Then in go daddy it gives you the option to change name servers and puts the ones assigned by aws in hosted zone with the record that says NS and you put those 4 in Godaddy, replacing the ones that had
Note: SAVE THE NAME SERVERS THAT YOU HAVE IN GO DADDY BEFORE REPLACING THEM, IN CASE YOU HAVE ANY PROBLEM, YOU CAN REPLACE THEM AGAIN
You have to wait at least a few hours until all the name servers are updated, you can use the who.is page to see if the DNS have already been updated with those of aws.
It turns out that this is not possible with GoDaddy. If anyone else reading this has a similar problem, only current solution is to cancel your domain registration and register with someone else.
(edit) As #aavrug mentions in their comment, Amazon now have a guide for this.
When you defined your CloudFront you can defined whether you want to use, and you can choose HTTPS only. In this case HTTP requests will be automatically redirected to HTTPS. Have in mind CloudFront changes may take a while to be replicated and your browser cache it as well, so the best way is to make a change, wait for the deployment and then check it in a new cognito browser.
It goes without saying that your certificate must be valid and verified as well.
It might be something wrong with your certificate or with your domain.
If you serving your content over HTTPS you must provide a SSL Certificate in Cloudfront. Have you done that?
Have you added your domain on Alternative Domain Names (CNAMEs)?
Please have a look on the image below:
-> AWS provides Free SSL Certificates to be used with Cloudfront, so you might want to use it (easier than you import your SSL from go daddy).
You can create a free SSL certificate on AWS and easily attach it to your cloudfront distribution.
-> You can also transfer your domains to AWS Route53. It is easy to integrate with any AWS Service and easy to use/maintain :)
I wrote a complete guide on my blog telling how you can add Custom SSL and attach custom domain to Cloudfront distribution, it might be useful :)
https://lucasfsantos.com/posts/deploy-react-angular-cloudfront/
I’m using CloudFront to setup a CDN for a WordPress installation. It worked for years, but I ran into an issue when I moved the whole site to HTTPS and set it up with a SSL certificate. A couple of things:
the site itself has a valid certificate, which I checked using a SSL checker;
the CNAME I’m using for the CDN (like image.website.com) also has its own SSL certificate, which I also checked. Intermediate certificate is also good and valid.
Of course the distribution is set to point to the custom CNAME, which was validated by AWS (using DNS protocole)
I tried different configuration of the Origin Protocol Policy setting in my distribution, but the problem persists.
Maybe something to do with the header. If anyone could help me troubleshooting this I would be greatly appreciated.
Thanks
The distribution is working. It seems that changing the Origin Protocol Policy to “HTTP only” did the trick. After implementing changes in distribution settings, some time is needed for them to fully take effect.
I can't get the Internet <-> CloudFront <-> S3 Bucket working, using an AWS certificate. This is what I did:
Created a certificate, a wildcard one, like: *.mydomain.example.
Created a S3 bucket, no fiddeling with properties.
Creating a CloudFront distribution, using the created S3 bucket URL as origin, selecting my certificate from step 1, choosing HTTP/2, HTTP/1.1, HTTP/1.0, and choosing HTTP to HTTPS redirect.
Created an A alias in my hosted zone for the domain the certificate is issued for, pointing at my distribution URL.
After the distribution is created, my browsers all tell me this:
Firefox: SSL_ERROR_NO_CYPHER_OVERLAP
Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Safari: Can't establish a secure connection.
I'm not sure if I've missed a step in the process of setting this up, I've tried fiddling with various parameters but nothing lets me through.
I read this blog post, saying that I might have forgotten adding alternate CNAMEs. This confuses me a bit, should I? In Route 53 I configured my full domain using something.mydomain.example and the certificate is a wildcard one.
Other blog posts and question answers indicates I should not, just use the A record and the CloudFront distribution URL/endpoint, as I have done.
So, in my update, I mentioned adding CNAMEs from a blog post. This was it, the second I did that, it started working.
To clarify, I did this to solve my problem:
Edit your CloudFront distribution.
Under the tab General, click edit.
In the Alternate Domain Names text box, add (at least) the something.mydomain.example that you have configured to this distribution's endpoint/URL in Route53.
Save your changes.
This solved it instantly for me, but remember that CloudFront configuration changes sometimes can take some time to be pushed out.
As stated by OP in an edit error caused when a CNAME entry for the apex (naked) domain, www subdomain, other subdomain or other domain(s) are not listed in the distribution.
To fix add at least one CNAME to the distribution in CloudFront.
Weird but true:
What actually fixed the issue for me was bumping the minimum cypher version up from TLSv1 to TLSv1.1_2016 in the CF Distribution.
Here's the relevant CloudFormation snippet:
HttpVersion: "http2"
ViewerCertificate:
AcmCertificateArn: !Ref SslCertificateArn
MinimumProtocolVersion: "TLSv1.1_2016"
SslSupportMethod: sni-only
Weird because I don't understand why this change fixes anything. The browser should automatically negotiate the higher TLS version.
I am trying to go full HTTPS, have no problem with the main site, but have problem with CNAME cdn.example.com which is my Amazon cloudfront distribution domain.
I went through all documentation I could find on AWS, but cannot find anything that could help me.
My distribution uses default wildcard cloudfront certificate.
I also have wildcard cert for my domain.
Any suggestions please