1

Background

My websites have been using CloudFlare with Let's Encrypt successfully for a year or two. The websites are hosted on EC2, they have valid Let's Encrypt certificates for the root, www, and all used subdomains. The website is run by Wordpress.

What I'm doing

As a learning exercise I decided to change one of my domains, wildphotography.co.nz, over to Route53 and CloudFront. It hasn't gone well.

The Problem

After moving from CloudFlare to Route53 with CloudFront, I can't view my website. Details are below. My desired end state is for Route53 to be my DNS server, and CloudFront my CDN.

Note that I have reverted back to CloudFlare, because I need my website to be online. I had Route53 as my DNS server for 3-4 hours, and I could see that it was resolving to R53.

Problem Details

After I set things up here's the problem I see in my browser

Insecure connection

Due to the Route53 setup, the request for the domain is being sent to CloudFront. The certificate being presented by CloudFront is for the *.cloudfront.net domain. Hence the mismatch. I believe I understand the problem but I can't work out how to solve it.

If I go to the Cloudfront URL (d1b5f3w2vf82yc.cloudfront.net) I get this error. Of course, going to this URL wouldn't typically be helpful.

CloudFront Error

Here's an SSL diagnostic

SSL Diagnostic

Here's my CloudFront setup. Note that I took a screenshot after I changed something minor, which is why it shows "in progress". I let it propagate before I tested it.

First the CloudFront overview

CloudFront Overview

CloudFront Origin Settings

CloudFront Origin Settings

CloudFront Root Behavior

Note that I forward from http to https on my Nginx web server, so I don't bother to have CloudFront do it. That gives me additional information in my logs, useful for diagnosis.

CloudFront Root Behavior

Route53 setup

I've removed some irrelevant records relating to email. Note that both the www and non-www domains are alias records pointing at the CloudFront distribution. It won't accept a cname alias - I'm not even sure if that's a valid combination.

Route53 Setup

What I've tried

I created a new subdomain, origin.wildphotography.co.nz, which is a cname to www.wildphotography.co.nz. I believe this is necessary so CloudFront can find the IP of the origin server.

I've tried CNAMEs, Alias and not Alias, all kinds of things.

One odd thing, is when it was still set up with R53/CloudFront some requests were getting through CloudFront. Not many, but some.

Any ideas would be appreciated. I suspect I have Route53 set up somehow incorrectly.

Tim
  • 31,888
  • 7
  • 52
  • 78

2 Answers2

1

First of all, you need to upload your custom SSL certificate to Cloudfront in order to avoid issues during the SSL validation. If you do not upload a custom certificate valid for your website name, Cloudfront offers a certificate valid only for its own domain cloudfront.net.

Then, you need a couple of records in your DNS zone in Route53:

  • The public website records ("www" and apex) should point to your Cloudfront distribution.
  • Another auxiliary record ( for example, "origin") is required for your Cloudfront origin setup, as Cloudfront does not allow IP origins. This auxiliary record should point to your actual web server. It is important that you configure your distribution to forward the Host header in order to allow your web server to serve the right contents.

With this setup, your customers are routed to Cloudfront through your www/apex records, and Cloudfront locates the actual web server through the origin record. Clodflare saves you from implementing all this logic because you delegate your DNS to them, but in fact this is what they do in the background when you enable the CDN feature in your DNS panel.

ma.tome
  • 1,179
  • 8
  • 15
  • Thanks for the thoughts. Custom certificate costs $600/month, I want to use SNI. I wonder if ACM counts as a custom certificate with an IP or if that's how SNI is done. I've contacted AWS support because I can't create certificates in the us-east-1 region, only us-west. The rest of your post seems to be generic and doesn't really address my problem - for example do I need a "A Alias" record at the domain apex and on the www subdomain, a "CNAME Alias" somewhere, etc? – Tim Apr 20 '17 at 18:11
  • Using ACM certificates with the Cloudfront SNI option do not incur into additional costs, don't worry. When I speak about "custom certificate" I only meant about the certificate itself. Using SNI or dedicated IPs in Cloudfront is just a feature to enable in the CDN distribution. – ma.tome Apr 20 '17 at 18:59
  • In the other hand, the type of DNS record (A or CNAME) is completely irrelevant as long as your customers and the CDN can read them and locate the correct servers. As a rule of thumb, use A records when your target is an IP and CNAME when it is another DNS name. For the apex record (which is a bit special) use an Alias of the same type of your target, for example if your apex is aliasing the www record and it is a CNAME, your apex should be a CNAME alias of www. – ma.tome Apr 20 '17 at 19:00
  • Furthermore, AWS resources can be aliased in Route53 using A records, which in general terms is more efficient than CNAME as it requires less DNS requests to resolve. In this case, you may use A aliases pointing to Cloudfront both in your apex and www records, and an A/CNAME normal record for your auxiliary origin record. – ma.tome Apr 20 '17 at 19:05
  • Thanks @ma.tome. The thing I missed was adding a certificate, and I only missed that because I've hit an AWS limit and went on anyway. I can't create or import certificates. I've requested a limit increase, so fingers crossed once that comes back I'll be able to associate it with CF. I was using "A Alias" records in Route53, "CNAME Alias" wouldn't find the CF distribution. I'll update once the AWS increase goes through. – Tim Apr 20 '17 at 20:13
1

Note that you can also get a certificate from AWS through ACM for no extra charge. The certificate you get can then be deployed on CloudFront for your domain. For details please visit - http://docs.aws.amazon.com/acm/latest/userguide/gs-cf.html and read the blog post - https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

Kalyanaraman Prasad
  • 11
  • 1
  • Thanks for the thoughts. The pricing page says using a custom certificate costs $600 a month, but using SNI is free. Does using ACM count as a custom certificate? I can't create certificates in US-EAST-1, only US-WEST-1, the console gives me an error and says "contact support". Since I don't have paid support I asked for a limit increase hoping they'll work it out. – Tim Apr 20 '17 at 18:09