40

I can't get the Internet <-> CloudFront <-> S3 Bucket working, using an AWS certificate. This is what I did:

  1. Created a certificate, a wildcard one, like: *.mydomain.example.
  2. Created a S3 bucket, no fiddeling with properties.
  3. Creating a CloudFront distribution, using the created S3 bucket URL as origin, selecting my certificate from step 1, choosing HTTP/2, HTTP/1.1, HTTP/1.0, and choosing HTTP to HTTPS redirect.
  4. Created an A alias in my hosted zone for the domain the certificate is issued for, pointing at my distribution URL.

After the distribution is created, my browsers all tell me this:

  • Firefox: SSL_ERROR_NO_CYPHER_OVERLAP
  • Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
  • Safari: Can't establish a secure connection.

I'm not sure if I've missed a step in the process of setting this up, I've tried fiddling with various parameters but nothing lets me through.

I read this blog post, saying that I might have forgotten adding alternate CNAMEs. This confuses me a bit, should I? In Route 53 I configured my full domain using something.mydomain.example and the certificate is a wildcard one.

Other blog posts and question answers indicates I should not, just use the A record and the CloudFront distribution URL/endpoint, as I have done.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Wrench
  • 4,070
  • 4
  • 34
  • 46

3 Answers3

78

So, in my update, I mentioned adding CNAMEs from a blog post. This was it, the second I did that, it started working.

To clarify, I did this to solve my problem:

  1. Edit your CloudFront distribution.
  2. Under the tab General, click edit.
  3. In the Alternate Domain Names text box, add (at least) the something.mydomain.example that you have configured to this distribution's endpoint/URL in Route53.
  4. Save your changes.

This solved it instantly for me, but remember that CloudFront configuration changes sometimes can take some time to be pushed out.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Wrench
  • 4,070
  • 4
  • 34
  • 46
  • 3
    This is not just for alternate names. I had to put ALL names in the CNAMES fields in order for all names to work properly. – SunSparc Dec 19 '17 at 00:16
  • 3
    it is not clear. what you mean by `something.mydomain.com that you have configured to this distribution's endpoint/URL in Route53` – ji-ruh Aug 21 '18 at 12:27
  • 1
    I struggled with this same error and the cause was simply mistyped domain name. – Antti Nov 12 '18 at 07:56
  • 1
    Thankyou, thankyou, thankyou!!! I was tearing my hair out this weekend! – Jester Jan 16 '22 at 07:30
15

As stated by OP in an edit error caused when a CNAME entry for the apex (naked) domain, www subdomain, other subdomain or other domain(s) are not listed in the distribution.

enter image description here

To fix add at least one CNAME to the distribution in CloudFront.

vhs
  • 9,316
  • 3
  • 66
  • 70
2

Weird but true:

What actually fixed the issue for me was bumping the minimum cypher version up from TLSv1 to TLSv1.1_2016 in the CF Distribution.

Here's the relevant CloudFormation snippet:

HttpVersion: "http2"
ViewerCertificate:
  AcmCertificateArn: !Ref SslCertificateArn
  MinimumProtocolVersion: "TLSv1.1_2016"
  SslSupportMethod: sni-only

Weird because I don't understand why this change fixes anything. The browser should automatically negotiate the higher TLS version.

Alex R
  • 11,364
  • 15
  • 100
  • 180