2

I want to point my domain to an external site with SSL. mydomain.com CNAME otherdomain.com

However I get a certificate error that says: ERR_CERT_COMMON_NAME_INVALID

This is probably because the certificate for otherdomain.com only has an entry for *.otherdomain.com

Is there a way to make this certificate work through the CNAME redirect? Or do I need to use a seperate certificate for mydomain.com

... and how can I add that certificate with AWS? I don't see any options for that in route53.

best regards, Chris

Chris
  • 13,100
  • 23
  • 79
  • 162

2 Answers2

5

The common name (the server name) that a SSL certificate has to match the hostname in the URL. The only way to make that work is to install an SSL certificate for "mydomain.com" on the "otherdomain.com" web servers. You cannot do that through DNS or any other means.

It sounds like you're trying to create a CNAME in your domain for an HTTPS server you don't control. That just won't do what you want it to do, for very good security reasons.

Karen B
  • 2,693
  • 1
  • 17
  • 19
4

Is there a way to make this certificate work through the CNAME redirect?

No. The certificate must contain the hostname as seen in the URL. It does not matter if this is just an alias for another hostname.

Or do I need to use a seperate certificate for mydomain.com

Either you need a separate certificate or you need to have a certificate which contains all the names you need in one certificate.

... and how can I add that certificate with AWS? I don't see any options for that in route53.

As far as I understand Route53 only cares about DNS and certificate handling has nothing to do with DNS. And while I'm not familiar with AWS this documentation suggests that you can use third party certificates with AWS.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Ok. I got the whole DNS / SSL config stuff mixed up. I now know that I would need to setup a custom SSL certificate with the host at otherdomain.com However, I wondered if it is possible to make it a non-stealth redirect: i.e. the user goes to mydomain.com and gets redirected to otherdomain.com which should also show up in the url bar. I guess this should allow the current certificate to work. However, I do not know if it is possible to setup a "non-stealth" redirect, since CNAME keeps the entered URL unchanged. – Chris Jul 09 '16 at 15:14
  • Just found a way to do this --> Create S3 bucket with website redirect to otherdomain.com --> add DNS record: mydomain.com CNAME S3 bucket domain – Chris Jul 09 '16 at 16:40
  • @Chris: to issue a "non-stealth redirect" (i.e. HTTP response 301, 302 or similar) it first needs to establish the HTTPS connection to mydomain before inside this HTTPS connection the redirect can be done. This still means that you need a certificate for mydomain, because otherwise it cannot establish the HTTPS connection to mydomain. – Steffen Ullrich Jul 09 '16 at 16:40
  • "Non-stealth redirect" with HTTPS on the first hostname can be done with CloudFront (for SSL) in front of an empty S3 bucket configured to redirect all requests to another bucket. [Example](http://stackoverflow.com/a/37442747/1695906). – Michael - sqlbot Jul 09 '16 at 22:20