I have tried setting up a static hosting solution for our web platform by using AWS S3 and CloudFront. It is required to use https, and it needs to be accessed via a custom subdomain.
This is my S3 bucket:
These are the settings for the CloudFront:
The certificate settings look ok to me:
And finally my DNS record is like this:
CNAME: "static" -> "d1fd407fp9coo4.cloudfront.net."
edit: using my default domain provider for DNS, not Route 53.
The aim is to have the resource available at static.dmaglobal.com/logo-frontpage.png via https. It loads fine without (http://static.dmaglobal.com/logo-frontpage.png), but the https-version (https://static.dmaglobal.com/logo-frontpage.png) gives an SSL-error stating the current certificate is for *.s3.eu-west-2.amazonaws.com instead of *.dmaglobal.com. I do not understand where this mismatch comes from, as it seems like the current certificate is correctly set up for our custom domain.
Anyone able to give some pointers on how to proceed from here with this issue?
As you have noticed your DNS record resolves to S3 still.
Instead of CNAME you should create an ALIAS record to Cloudfront distribution. In static record pick A type record, check Yes for Alias and pick the Cloudfront distribution on the dropdown.
The reason for this: ALIAS records are free of charge and they resolve faster.
To answer my own question: In the end, it was the proper CNAME value that had not propagated properly yet (as it was initially pointing to S3 before I was aware that CloudFront was required for SSL). As soon as it was, the settings in the OP worked perfectly.
Related
I have a React website which I would like to host on AWS Cloudfront with custom domain.
I created s3 bucket with option for static content hosting and I created Cloudfront distribution.
I can open the Cloud distribution using the distribution domain name d1srvdzuzxvion.cloudfront.net
I created a hosted zone and I added DNS records
But again when I open the domain into my browser it's not working. Can you advise what might be wrong?
The NS records you show above, do not actually match what a DNS lookup is returning:
NS-1337.AWSDNS-39.ORG
NS-1871.AWSDNS-41.CO.UK
NS-245.AWSDNS-30.COM
NS-842.AWSDNS-41.NET
https://whois.domaintools.com/hireya.org
You are going to need to figure out that one first.
Looks like you enabled DNSSEC but did not configure it properly. Whois returns DNSSEC: unsigned
This tool reports no DS records found https://dnssec-analyzer.verisignlabs.com/hireya.org. You either need to configure these records or disable DNSSEC.
More info https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html
I'm following the serverless-stack guide and have a website hosted in an Amazon S3 bucket. I purchased a domain using GoDaddy and I have set up cloudfront to work with this bucket, then have used AWS certificate manager to generate SSL certificates for my domain (both www.my_domain.com and my_domain.com).
In GoDaddy I then configured DNS forwarding to point to my cloudfront resource.
This all works nicely, and if I go to my_domain.com in a browser then I see my website.
However, I can't get SSL working. If I go to the https:// version of my website then I see a not secure error in the chrome address bar which shows a certificate pointing to shortener.secureserver.net rather than my own website.
Could someone point me at a way around this? Looking through S.E. and using google it seems that Amazon's route53 might be able to help, but I can't figure out how to do this.
Thanks!
(edit) To make things more clear, this is what I see in Chrome if I connect to https://my_website.com or to https://www.my_website.com
The warning message:
The certificate details:
What I do not understand is why, after configuring an AWS certificate for my domain, I see a certificate for shortner.secureserver.com rather than a certificate for my_website.com.
Go daddy has problems and does not redirect to https, There are two ways, the first is to change domain registrar and the second is the easiest, which is: Create a hosted zone on AWS router 53 with your domain name
Create 2 type A records, one for the root (of your domain) and one for www that point to your cloudfront. Router 53 allows you to create a type A record without having an IP, because it directly points to a cloudfront instance that you indicate, that's the best
Then in go daddy it gives you the option to change name servers and puts the ones assigned by aws in hosted zone with the record that says NS and you put those 4 in Godaddy, replacing the ones that had
Note: SAVE THE NAME SERVERS THAT YOU HAVE IN GO DADDY BEFORE REPLACING THEM, IN CASE YOU HAVE ANY PROBLEM, YOU CAN REPLACE THEM AGAIN
You have to wait at least a few hours until all the name servers are updated, you can use the who.is page to see if the DNS have already been updated with those of aws.
It turns out that this is not possible with GoDaddy. If anyone else reading this has a similar problem, only current solution is to cancel your domain registration and register with someone else.
(edit) As #aavrug mentions in their comment, Amazon now have a guide for this.
When you defined your CloudFront you can defined whether you want to use, and you can choose HTTPS only. In this case HTTP requests will be automatically redirected to HTTPS. Have in mind CloudFront changes may take a while to be replicated and your browser cache it as well, so the best way is to make a change, wait for the deployment and then check it in a new cognito browser.
It goes without saying that your certificate must be valid and verified as well.
It might be something wrong with your certificate or with your domain.
If you serving your content over HTTPS you must provide a SSL Certificate in Cloudfront. Have you done that?
Have you added your domain on Alternative Domain Names (CNAMEs)?
Please have a look on the image below:
-> AWS provides Free SSL Certificates to be used with Cloudfront, so you might want to use it (easier than you import your SSL from go daddy).
You can create a free SSL certificate on AWS and easily attach it to your cloudfront distribution.
-> You can also transfer your domains to AWS Route53. It is easy to integrate with any AWS Service and easy to use/maintain :)
I wrote a complete guide on my blog telling how you can add Custom SSL and attach custom domain to Cloudfront distribution, it might be useful :)
https://lucasfsantos.com/posts/deploy-react-angular-cloudfront/
I have recently set up a static website using an AWS S3 bucket (scottreganchimneysweeping.co.uk). I have provisioned an SSL certificate through AWS, changed nameservers with my registrar to AWS route 53, created a hosted zone with route53 and also a CDN using cloudfront.
However, when I type the URL into Chrome, it loads for ages and then brings up a 403 error, IP address not found.
In route 53, I have created an A record with the alias for the cloudfront CDN, as well as the CNAME record for the SSL certificate and the default NS and SOA records. I'm not sure what exactly is causing the issue here but I am a total beginner with hosting and DNS etc so I desperately need help to get this website live.
Could anybody suggest where I have gone wrong here or possible diagnose using the domain name above?
Thanks in advance!
403 means that the requester does not have permissions to take the action requested. You may need to either set the ACL of the bucket to public read, or the ACL of the items you want to be public read.
When a bucket is not set to be publicly readable, even if it is set up as a static site already, all missing pages will show up as a 403 response, so another possibility is that the default path is not set to the correct file, e.g. default pointing to index.html whereas you have main.html in your bucket at the root.
I have set up a multi tenant application which should be available to clients via a subdomain (e.g. https://client1.example.at). Requests to *.example.at are routed to a load balancer via Route 53. The load balancer has an AWS signed wildcard certificate (e.g. supporting example.at and *.example.at). From this side, everything is working as expected and I can access https://client1.example.at, https://client2.example.at, etc.
Based on this setup, I wanted to route specific request without subdomain (except www) such as https://www.example.at or https://example.at to a bucket (which is also named www.example.com) and not to the load balancer (I just want to serve a static site for requests to the "main domain"). It works but I can only access www.example.at and example.at without using HTTPS. My setup can be seen below:
I then found out that I have to use Cloudfront in order to use HTTPS for a custom domain with S3 buckets (if that is correct?). Now I have a few questions:
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS?
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
Is it ok to use *.example.at as A type record with alias to the load balancer at all?
Generally speaking, is my Route 53 setup valid at all?
I wanted to route specific request without subdomain (except www) such as https://www.example.com or https://example.com to a bucket (which is also named www.example.com)
Each of those "domains" must route to a different bucket unless you are using a proxy (which reroutes the hostname passed from the browser) in front of S3, the domain name must match the bucket name. If they don't then your requests are going to a bucket matching the DNS name you routed from, the routing has nothing to do with the hostname of the S3 bucket endpoint.
In other words, let's say your hostname was www.example.com, and you set the CNAME to example.com.s3.amazonaws.com (or you could use the website endpoint, it doesn't matter for this example).
When a request hits the DNS name www.example.com it then is sent to the S3 server which is behind the S3 hostname. That request from the browser is for hostname "www.example.com", the actual CNAME referenced which pointed to the S3 endpoint is irrelevant because S3 never knows what actual CNAME was used to by your browser to connect to S3. So S3 will attempt to pull the requested object from the www.example.com bucket.
URL -> S3 Bucket
https://www.example.com -> s3://www.example.com
https://example.com -> s3://example.com
It works but I can only access www.example.at and example.at without using HTTPS.
CNAME DNS routing like this when using SSL to an S3 bucket does not work. The reason for this is that the S3 wild card certificates are 1 level deep (*.s3.amazonaws.com) so your bucket www.example.com.s3.amazonaws.com will fail to match it because it has 2 extra levels above the wild card. So your browser rejects the certificate as invalid for the hostname.
To accomplish this you must use a proxy of some sort in front of S3 with your own certificates for the domain in question.
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS?
CloudFront is an excellent option for addressing the HTTPS with CNAME routed DNS to an S3 bucket issue we just mentioned.
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
I can't answer that one, I can only suggest you try and find out what happens. If it doesn't work then it's not an option. It shouldn't take much time to figure this one out.
Is it ok to use *.example.at as A type record with alias to the load balancer at all?
To clarify, an A Record can only ever be an IP address, an A Alias is similar to a CNAME (but is Route53 specific).
I highly recommend CNAMES (or ALIASES, they are similar). Pointing directly at one of S3's A-Records is a bad idea because you don't know if or when that IP will be removed from service. By referencing the hostname with a CNAME/ALIAS you don't have to worry about that. Unless you can be 100% sure that the IP will remain available then you shouldn't reference it.
Generally speaking, is my Route 53 setup valid at all?
I don't see any issues with it, based on what you described it sounds like like things are working as expected.
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
As suggested by #JoshuaBriefman I simply tried to create another certificate for the same domain in another region now and it worked. I could also use the certificate for the CloudFront distribution (additional certificate was created in US EAST) and all works now without any problems so far.
I am moving several sites to S3 to host them as static sites and have moved DNS here as well. I followed the AWS guide step by step, but continually get an error on the CNAME setup for WWW. Here is my setup:
Created bucket jeremyandlauren.com and set up static hosting and permissions.
Endpoint is now jeremyandlauren.com.s3-website-us-west-2.amazonaws.com and this works fine.
Pointed nameservers for this domain to Route 53.
Created an A record pointing to the Alias Target jeremyandlauren.com.s3-website-us-west-2.amazonaws.com.
Created a CNAME pointing www to jeremyandlauren.com.s3-website-us-west-2.amazonaws.com.
Now when you hit the URL either with or without www you get:
Code: NoSuchBucket
Message: The specified bucket does not exist
BucketName: www.jeremyandlauren.com
Does anyone have any ideas how to fix this? I have tried a couple options for the CNAME, but nothing seems to take.
Thanks in advance.
It looks like jeremyandlauren.com works, however, www.jeremyandlauren.com does not work. The reason you are probably running into this is that your DNS name needs to match your bucket name. You probably do not have a bucket with the name of www.jeremyandlauren.com. There are two way easy ways to fix this.
Create a bucket www.jeremyandlauren.com and redirect it to jeremyandlauren.com. (More info here: http://aws.amazon.com/about-aws/whats-new/2012/10/04/web-page-redirects-on-amazon-s3-hosted-websites/)
Create a CloudFront distribution with the origin of jeremyandlauren.com.s3-website-us-west-2.amazonaws.com. Add www.jeremyandlauren.com & jeremyandlauren.com as a CNAME. Update DNS for www.jeremyandlauren.com & jeremyandlauren.com to be an A type alias to your CloudFront Distribution.
Keep both www.jeremyandlauren.com & jeremyandlauren.com buckets in sync with the same data.
Its working fine for me - both with and without the 'www' if its not working for you, it may be because your dns is cached locally, or the propagation has just not made it to your servers yet - give it time.
If you are using chrome you can try clearing your local dns cache:
Navigate to chrome://net-internals/#dns and press the "Clear host cache" button.