- Más nuevo
- Más votos
- Más comentarios
You need to deploy a ALB with your own certificate applied for this to work. You wouldn’t need to buy a CA or certificate. You can point to your ALB or if you want to direct straight to an EC2 then use some thing like let’s encrypt cert
Hello Theodore,
While CloudFront can accept a self-signed certificate on the origin, ensure that:
- Origin Protocol Policy: CloudFront is configured to use HTTPS to communicate with the origin if the server only listens on port 443.
- Certificate Validity: The self-signed certificate is valid, with the correct Common Name (CN) matching the domain CloudFront is using to access the origin.
- Security Groups and NACLs: The EC2 instance's security group allows inbound traffic on port 443 from CloudFront IP ranges.
- Origin SSL Protocols: CloudFront and the EC2's web server agree on the SSL protocols and ciphers. Check CloudFront's distribution settings to ensure the SSL protocol being used is supported by your EC2 instance.
The output of the openssl command suggests that the SSL handshake isn't being completed, which could mean a protocol mismatch or other SSL configuration issue. Double-check your SSL settings on both CloudFront and the EC2 instance. If necessary, consider using an SSL/TLS checker to validate the server's SSL configuration.
Let me know if I can help with anything else.
Thank you for your answer. If HTTP is allowed, then why not allow self-signed certificate? Why would I buy a Trusted CA certificate for a domain name like ec2-that-elastic-ip.amazonaws.com ? That's not even the name of the domain that I own! There is probably a good reason for this... maybe HTTPS is not the right approach for ec2.
Again my bad: its all explained very clearly in the docs: CloudFront uses the Host header value instead if you configure it to forward the Host header, which means that the origin’s TLS certificate must contain www.example.com in its CN or SAN. CloudFront also uses those domain names as an SNI in its initial TLS handshake. You may want to utilize this fact when using an Application Load Balancer (ALB) as an origin, because you must install a TLS certificate and its CN or SAN will not validate the default ALB domain (for example, alb-1234.us-east-1.elb.amazonaws.com) but will validate your own domain (www.example.com) instead. Alternatively, you can set a DNS record, such as origin.example.com, set the origin TLS certificate to validate that domain name, and associate the DNS record to the ALB via Amazon Route53 or another domain name server.
I'm glad to hear it worked out! Gary's response was spot on.
My bad... AWS Documentation says... "You can’t use a self-signed certificate for HTTPS communication between CloudFront and your origin." https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html
However, this is confusing to me. Why would I buy a Trusted CA certificate for a domain name like ec2-that-elastic-ip.amazonaws.com ? That's not even the name of the domain that I own!
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
You have a domain you own and point a dns record at the IP address or dns name id the ec2. Install ssl cert for said domain on ec2. You do not need to buy any certs related to AWS domain.then point cloudfront to the dns you just created.