Reputation: 4900
CloudFront distribution and AWS issued certificate gives SSL_ERROR_NO_CYPHER_OVERLAP
I can't get the Internet <-> CloudFront <-> S3 Bucket working, using an AWS certificate. This is what I did:
- Created a certificate, a wildcard one, like:
*.mydomain.example. - Created a S3 bucket, no fiddeling with properties.
- Creating a CloudFront distribution, using the created S3 bucket URL as origin, selecting my certificate from step 1, choosing HTTP/2, HTTP/1.1, HTTP/1.0, and choosing HTTP to HTTPS redirect.
- Created an A alias in my hosted zone for the domain the certificate is issued for, pointing at my distribution URL.
After the distribution is created, my browsers all tell me this:
- Firefox: SSL_ERROR_NO_CYPHER_OVERLAP
- Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- Safari: Can't establish a secure connection.
I'm not sure if I've missed a step in the process of setting this up, I've tried fiddling with various parameters but nothing lets me through.
I read this blog post, saying that I might have forgotten adding alternate CNAMEs. This confuses me a bit, should I? In Route 53 I configured my full domain using something.mydomain.example and the certificate is a wildcard one.
Other blog posts and question answers indicates I should not, just use the A record and the CloudFront distribution URL/endpoint, as I have done.
Upvotes: 58
Views: 25260
Answers (3)
Reputation: 4900
So, in my update, I mentioned adding CNAMEs from a blog post. This was it, the second I did that, it started working.
To clarify, I did this to solve my problem:
- Edit your CloudFront distribution.
- Under the tab General, click edit.
- In the Alternate Domain Names text box, add (at least) the
something.mydomain.examplethat you have configured to this distribution's endpoint/URL in Route53. - Save your changes.
This solved it instantly for me, but remember that CloudFront configuration changes sometimes can take some time to be pushed out.
Upvotes: 115
Reputation: 11881
Weird but true:
What actually fixed the issue for me was bumping the minimum cypher version up from TLSv1 to TLSv1.1_2016 in the CF Distribution.
Here's the relevant CloudFormation snippet:
HttpVersion: "http2"
ViewerCertificate:
AcmCertificateArn: !Ref SslCertificateArn
MinimumProtocolVersion: "TLSv1.1_2016"
SslSupportMethod: sni-only
Weird because I don't understand why this change fixes anything. The browser should automatically negotiate the higher TLS version.
Upvotes: 3
Reputation: 10051
As stated by OP in an edit error caused when a CNAME entry for the apex (naked) domain, www subdomain, other subdomain or other domain(s) are not listed in the distribution.
To fix add at least one CNAME to the distribution in CloudFront.
Upvotes: 16
Related Questions
- CloudFront wasn't able to connect to the origin
- Putting AWS cloudfront in front of ec2 throws 502 error
- NET::ERR_CERT_COMMON_NAME_INVALID with Cloud front
- aws how to set up ssl certificates for cloudfront distribution, for route 53 hosted domain?
- AWS: imported SSL certificate not showing up in CloudFront
- CloudFront error when serving over HTTPS using SNI
- Problem associating CloudFront distribution with Route 53 domain
- Cloudfront serving over own SSL certificate
- Having trouble associated SSL cert with Amazon Cloudfront
- Use what Origin and ServerName for SSL certificate between CloudFront and EC2 Origin?