Reputation: 7244
Subdomain on CloudFront not working (certificate not accepted)
- In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
- In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
- When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)
Am I missing something? The other distribution for the top level domain is working fine with the same certificate.
Upvotes: 14
Views: 20360
Answers (4)
Reputation: 5307
If you are using serverless, try adding certificateArn as component inputs in the serverless.yml file
your-app:
component: "@sls-next/serverless-component@latest"
inputs:
domain: ["app", "domain.com"] # [ sub-domain, domain ]
certificateArn: "arn:aws:acm:us-east-1:<id>"
Reference : https://github.com/serverless-nextjs/serverless-next.js/issues/821
Upvotes: 0
Reputation: 962
In my case, I created an SSL in us-east-1 (North Virginia) but I was still facing the issue and when I checked that SSL in the ACM, it was only for subdomains I forgot to add a root domain while requesting the SSL.
So whenever you want to use an ACM make sure that the SSL certificate is for the domain and subdomains (if required).
Upvotes: 0
Reputation: 7244
Figured it out.
The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).
Upvotes: 13
Reputation: 70539
Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain
That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.
Upvotes: 25
Related Questions
- CloudFront wasn't able to connect to the origin
- Cloudfront: This request has been blocked and content must be served over HTTPS
- Setting CNAMEs to CloudFront
- Connection not secured when pointing a subdomain to Cloudfront
- Problems using custom CNAME with CloudFront over SSL
- Cloudflare HTTPS subdomain to Cloudfront/S3-bucket gives 403
- CloudFront error when serving over HTTPS using SNI
- Subdomain with WWW not secured even with a SSL Certificate
- AWS Cloudfront custom sub domain TSL / SSL: "Not secure / certificate invalid"
- Having trouble associated SSL cert with Amazon Cloudfront