I'm currently hosting an S3 bucket with a static website, I'm using an SSL certificate via certificate manager that covers *.domain.com. Visiting the site www.domain.com results in a secure website, however simply going to domain.com does not even though the A record for domain.com points to www.domain.com through Route 53. The specific error message states that the site can't provide a secure connection, my question is, is the DNS not setup correctly to point domain.com to www.domain.com or is it because the SSL certificate is only for *.domain.com and not domain.com.
Secure: https://www.adambarlowlaw.com/
Insecure: https://adambarlowlaw.com/
Pointing domain.com to www.domain.com just has the effect of two separate records that both end up pointing to the same IP address. Lots of people mistake this sort of DNS pointer as a browser redirect, but that is not the case.
You are focusing on the DNS setup, but it is the SSL certificate that is incorrect. Since the server has both domain.com and www.domain.com pointing at it, the server needs to be able to serve both of those domains. You have configured the SSL certificate to work for *.domain.com but not domain.com.
When you request an SSL certificate you need to request two domains domain.com and *.domain.com
Related
I have
An AWS S3 bucket as a static site
A CloudFront distribution with ACM SSL certs
A Name.com domain name
A Heroku web app
I successfully have www.domain.com pointing to my abc123.cloudfront.net website. I also have api.domain.com successfully pointing towards my heroku app. I used ACM to generate a certificate for www.domain.com and Heroku handles its own SSL stuff as well.
That's pretty good, but just to be anal, I want domain.com to also point to my CF address. However it does not. This is how I set up my CF and DNS and wonder if anyone has any ideas. I've gone through about 20 SO questions and articles with no luck. Also Name.com URL forward does not seem to work.
DNS Settings
CloudFront Settings
Based on the comments.
Currently, only www.domain.com record is used to direct connections to CloudFront (CF) distro. To direct domain.com, a new record should be created which also points to the CF distro in Name.com DNS.
In addition to these, CNAME in CF as well as SSL certificate should also include domain.com.
I currently have my website running at https://www.example.com. I did this by creating an S3 bucket hosting the site called www.example.com, then I created a Cloudfront instance to add SSL.
I then created a CNAME in Godaddy which points to the Cloudfront URL.
If I visit http://example.com, GoDaddy correctly redirects to http://www.example.com, which Cloudfront correctly redirects to https://www.example.com.
HOWEVER, if I visit https://example.com, I get a blank page. How can I make the SSL naked domain redirect to www?
Proved myself wrong in rereading your question:
“Unfortunately, our forwarding servers don't accept HTTPS requests. This is why your forward isn't working. Traffic coming into the forwarding server using the HTTPS protocol won't resolve. The only way you'd be able to set this up is to have the domain hosted on a server where it has an SSL Certificate installed. You could then set up a redirect to point traffic from your old domain to your new one. “
https://www.godaddy.com/community/SSL-And-Security/Forwarding-works-as-long-as-URL-does-not-contain-https/td-p/44951
You should probably just move the domain to route53.
I try to assign SSL certificate for my domain. I have created a www.domain.com certificate and assigned it to my elastic beanstalk; and it works really fine as I can see a little green lock next to my domain if I access with https://www.domain.com or www.domain.com. The problem is that when I try to access by domain.com, the lock is gone. Can anyone suggest what I should do in this case?
You have to get a new certificate for both www and non-www domain when you request the certificate there is option check below screenshot. And then you force the https on the application. And your site will serve through SSL certificate for both domains www and non www.
If i use Cloudfront to sit in front of a webserver, which itself is behind an ELB, would the following apply?
I use Route53 to create a domain name record for the CF domain and apply an SSL certificate to that domain to secure the distribution
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
When CF forwards the request through the ELB the SSL is terminated
Is that right ? Will one FQDN cert suffice or better to use a wildcard? Is it better to use the origin server domain name instead?
As i can now use the new AWS certificate manager tool (ACM) to add these certs, does anyone know if CF still require the cost for use of custom SSL cert if using ACM (which makes CF an expensive AWS service)?
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
The SSL connection is not "forwarded". A new SSL connection is established between CloudFront and the ELB.
The SSL connection between the user and CloudFront is a completely different connection than the one between CloudFront and the ELB. Therefore, there is not requirements on matching the domain names used on the ELB and CloudFront.
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
The only restriction is that the SSL certificate on the ELB must match the domain name used on the ELB. It can be a different SSL cert and domain name than those used on CloudFront.
If you want to use the "Custom SSL" feature and support "All Clients", not just those that support SNI, then yes, you must still pay the extra charges, even is you are using ACM.
Example 1
You can create Route 53 records for www.domain.com and origin.domain.com and an SSL cert for *.domain.com. From these, you would assign www.domain.com to the CloudFront distribution, origin.domain.com to your ELB, and use the wildcard cert on both.
Example 2
You can create Route 53 records for www.domain.com and origin.domain.com and separate SSL certs for www.domain.com and origin.domain.com. From these, you would assign www.domain.com to the CloudFront distribution using the www.domain.com cert, and origin.domain.com to your ELB using the origin.domain.com cert.
Example 3
You can create Route 53 records for www.domain1.com and origin.domain2.com and separate SSL certs for www.domain2.com and origin.domain2.com. From these, you would assign www.domain2.com to the CloudFront distribution using the www.domain2.com cert, and origin.domain2.com to your ELB using the origin.domain2.com cert.
I am hosting my website on amazon web services. I use a beanstalk application and have an A-record that directs the address www.domain.com to the beanstalk. I also have the same domain but with a .org at the end. I also created an A record that points the domain.org to the same beanstalk application. This works. The problem is that I will buy a ssl certificate for the domain.com and therefore I need the user to be directed to the domain.com when he/she enters domain.org. I tried adding a CNAME record for the domain.org address with the value domain.com. The result is that the user ends up in the correct page but the address in the url bar is domain.org which might cause a problem since the certificate is for domain.com.
DNS cannot do any redirection. That's purely HTTP-level material. You would need to configure your .org vhost to do that, e.g. on apache:
<VirtualHost *:80>
ServerName www.domain.org
RedirectPermanent / http://www.domain.com
</VirtualHost>
Your CNAME is basically pointless. All it does is point a hostname at another hostname, which causes your DNS resolver to fetch the IP of that "another host". It then uses that IP as the IP for the original name. e.g.
domain.org -> CNAME pointer -> domain.com -> a.b.c.d
which then does an HTTP request to the a.b.c.d IP with
Host: domain.org
in the http request header.
You can use Amazon S3 to do this.
Create an S3 bucket called domain.org
Enable Static Web Hosting on the new bucket by choosing "Redirect all requests to another host name"
Set domain.com or www.domain.com as that other domain
If you are using Route53 for your DNS, you can create an Alias record for domain.org to point to your bucket. If you are not using Route53, then create a CNAME to your bucket's public URL.
You can easily do similar things for domain.com -> www.domain.com if you are using Route53.