Cloudfront alternate domains using SNI for HTTPS

amazon-cloudfrontamazon-web-servicessni

I am attempting to use Cloudfront to serve an S3 bucket over HTTPS using an "Alternate Domain Name", but I am getting this error when I load the site in a browser:

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is example.com; its security
certificate is from *.cloudfront.net. This may be caused by a
misconfiguration or an attacker intercepting your connection.

This error makes sense, but from what I understand Cloudfront should somehow be able to use the default cert to work with "Alternate Domain Names" as long as the client supports SNI. Here are the AWS docs about it:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html#cnames-https-sni

Am I misunderstanding something?

Basically, I just want to be able to have HTTPS through Cloudfront without having to pay the $600/month that AWS charges for the dedicated IP certs.

Best Answer

@ceejayoz was correct about using ACM (Amazon Certificate Manager) to make this work. Anyway, I have HTTPS working now, so here is a full answer to help others (and my future forgetful self)

Here are the steps to set up HTTPS using SNI:

  1. Use ACM to generate a certificate for your domains (this is free)
  2. Verify your ownership of the domains (ACM tells you to do this)
  3. Go to the Cloudfront console, click your distribution, click edit on the "general" tab.
  4. Under "SSL Certificate" you should now be able to select "Custom SSL Certificate" (This is disabled if you have not generated a cert)
  5. Select your cert from the drop down box.
  6. Under "Custom SSL Client Support" make sure "Only Clients that Support Server Name Indication (SNI)" is selected. (Otherwise you will be charged an ungodly amount of money)
  7. Save your changes, and all should be peachy.

enter image description here

Just for clarity, here is some useful pricing info I found:

I looked through the fine print on the Cloudfront pricing page and discovered some more useful documentation: https://aws.amazon.com/cloudfront/custom-ssl-domains/

The important line under "SNI Custom SSL" is:

"There is no separate pricing for this feature. You can use SNI Custom SSL with no upfront or monthly fees for certificate management; you simply pay normal Amazon CloudFront rates for data transfer and HTTPS requests."

Here are some confusing directions from the horse's mouth:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html

Related Topic