A custom sub-domain via AWS CloudFront fails over https on S3 website, but works fine over HTTP

Question

I created a Let's Encrypt wildcard certificate for *.example.cz on Amazon Linux EC2 instance using CertBot. The certificate attached to nginx web server on EC2, website works fine both over HTTP and HTTPS. There are couple of DNS records www.example.cz and *.example.cz of type A with EC2 IP Address.

Then to point a subdomain cdn.example.cz to a S3 Static Website Bucket:

1. I imported the same wildcard SSL certificate from EC2 to AWS Certificate Manager.
2. Created a CloudFront distribution with the imported SSL Certificate.
3. Created a CNAME record cdn.example.cz and pointed it to S3 bucket's URL.

When I request an object from S3 using http://cdn.example.cz/object.jpg it works, but the request over HTTPS keeps busy until reaches time out.

I tried CloudFront's Alternate domain names to be cdn.example.cz, and also tried www.example.cz example.cz. None worked.

AWS Certificate Manager

CloudFront Distribution

CloudFront Distribution Origins

Answer 1

CNAME record had to be pointed to CloudFront Distribution domain name xxxxxxx..cloudfront.net

I'm not sure about this but I also removed eu-south-1 from Origin domain name so it's now cdn.example.cz.s3.amazonaws.com

Once I updated CloudFront distribution, I had to wait few hours for the change propagated properly (as it was initially pointing to S3 before I was aware that CloudFront was required for SSL). As soon as it was, this settings worked perfectly.