I am attempting to use Cloudfront to serve an S3 bucket over HTTPS using an "Alternate Domain Name", but I am getting this error when I load the site in a browser:
NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is example.com; its security
certificate is from *.cloudfront.net. This may be caused by a
misconfiguration or an attacker intercepting your connection.
This error makes sense, but from what I understand Cloudfront should somehow be able to use the default cert to work with "Alternate Domain Names" as long as the client supports SNI. Here are the AWS docs about it:
Am I misunderstanding something?
Basically, I just want to be able to have HTTPS through Cloudfront without having to pay the $600/month that AWS charges for the dedicated IP certs.
Best Answer
@ceejayoz was correct about using ACM (Amazon Certificate Manager) to make this work. Anyway, I have HTTPS working now, so here is a full answer to help others (and my future forgetful self)
Here are the steps to set up HTTPS using SNI:
Just for clarity, here is some useful pricing info I found:
I looked through the fine print on the Cloudfront pricing page and discovered some more useful documentation: https://aws.amazon.com/cloudfront/custom-ssl-domains/
The important line under "SNI Custom SSL" is:
"There is no separate pricing for this feature. You can use SNI Custom SSL with no upfront or monthly fees for certificate management; you simply pay normal Amazon CloudFront rates for data transfer and HTTPS requests."
Here are some confusing directions from the horse's mouth:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html