Reputation: 784
https errors on AWS S3 static site on subdomain
Short version: I'm getting https errors on a static website on AWS S3 bucket set up for web hosting, but not https. It is located by a CNAME record pointing to the S3 bucket on my AWS Route 53 hosted zone, where the A record goes to a different site, which does use https.
Long version:
I have a Rails site hosted at my apex url (idoimaging.com) on an AWS EC2 instance. I wish, independently of this, to host a blog as a static site (Jekyll) as a subdomain blog.idoimaging.com.
To test with a simple setup, I tried making a minimal static subdomain site hello.idoimaging.com. I made a test bucket named hello.idoimaging.com and in it I put small index.html and error.html files. I enabled website hosting in the bucket properties and added a read-all policy to the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Public Access to All Objects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::hello.idoimaging.com/*"
}
]
}
I can visit the bucket directly at its endpoint hello.idoimaging.com.s3-website-us-east-1.amazonaws.com and I see the index.html page. All good so far.
Now I want to set a CNAME so I can visit the static site at hello.idoimaging.com. In AWS Route 53 I have a hosted zone for my idoimaging.com domain, and in that domain I created a CNAME with name 'hello.idoimaging.com' and value 'hello.idoimaging.com.s3-website-us-east-1.amazonaws.com'.
dig results look OK:
$ dig hello.idoimaging.com
...
;; QUESTION SECTION:
;hello.idoimaging.com. IN A
...
;; ANSWER SECTION:
hello.idoimaging.com. 226 IN CNAME hello.idoimaging.com.s3-website-us-east-1.amazonaws.com.
hello.idoimaging.com.s3-website-us-east-1.amazonaws.com. 60 IN CNAME s3-website-us-east-1.amazonaws.com.
s3-website-us-east-1.amazonaws.com. 3 IN A 52.216.64.90
...
;; AUTHORITY SECTION:
s3-website-us-east-1.amazonaws.com. 1778 IN NS ns-1133.awsdns-13.org.
s3-website-us-east-1.amazonaws.com. 1778 IN NS ns-1919.awsdns-47.co.uk.
s3-website-us-east-1.amazonaws.com. 1778 IN NS ns-490.awsdns-61.com.
s3-website-us-east-1.amazonaws.com. 1778 IN NS ns-661.awsdns-18.net.
Initially when I tried to visit hello.idoimaging.com I just got a timeout. I read a post somewhere about right-clicking 'Make public' on the objects in the bucket. This didn't sound right to me, as I thought that's what bucket policies are for, but when I tried it I got a change. Under Permissions I now have Grantee: Everyone nad permission Open/Download, and though it's still not working, now I get a HTTPS security error instead of the timeout. So it seemed that 'Make Public' (which I've never had to use before) made a difference. Progress, I guess?
Using curl I can fetch hello.idoimaging.com and it retrieves the index.html file, no worries, even if I use --proto https. wget and any browser, however, won't.
All requests to hello.idoimaging.com now are forced to https://, which is failing with "Your connection is not private" / "This site uses HTTP Strict Transport Security (HSTS)" and various different messages on different browsers. Is this force-to-https behaviour normal? The reason I ask is that my apex site, in the nginx server, redirects http requests to https. But if I request hello.idoimaging.com the DNS will pick up the CNAME for my S3 site, not the A record for my apex site, right? Seems they can't be related. The apex site is secured with local certificates from letsencrypt.org.
Once I get this going I want to use CloudFront, but I'm having quite enough difficulty with the S3 site for now.
It seems the problem results from requests to hello.idoimaging.com (typed just as that) being forced to https, and that is failing. Looking for advice. If there is a problem with my apex site being https and the subdomain not being https, it seems I'm going to complicate it by trying to set up https on the subdomain, because it would be using different certificates from the apex site.
All this stuff is up and live now.
Upvotes: 1
Views: 2199
Answers (1)
Reputation: 8830
- Did you specify
index.htmlas index document ? - Also the recommended way to set custom DNS for bucket is to use type A record with Alias type. In the alias target put
s3-website-us-east-1.amazonaws.com.
P.S. regarding SSL, s3 does not offer ssl for websites with custom DNS, the only option would be to add CloudFront in front.
P.S. clear your browser's cache, or try in incognito mode:
Upvotes: 1
Related Questions
- AWS S3 static website is not getting up from subdomain
- S3 bucket with SSL with static website
- Are S3 static websites no longer available over HTTPS?
- How to host HTTPS site from S3 Static website hosting on AWS?
- Subdomain with WWW not secured even with a SSL Certificate
- HTTPS for GoDaddy - AWS S3 static website
- Enabling SSL on a subdomain with AWS S3 and ACM
- https on S3 static website gets stuck
- S3 static website on double sub-subdomain
- SSL on Amazon S3 as "static website"