2

First post here - hello fellow stackoverflowers :)

Website issue. Bought domain on Google, hosting on S3. Used route 53 to redirect requests. Created 2 public buckets in S3, example.com and www.example.com (example.com redirecting to www)
WEBSITE WORKS - YES! Now let's get it https
Got the SSL amazon certificate for *.example.com via route 53 DNS confirmation. Uploaded it to my cloudfront distribution ( and in the parameters ensured http redirects to https).
Following this article (How to redirect HTTP to HTTPS using S3, Cloudfront, and Route 53 using naked domains? ), I now need to redirect requests from route 53 towards the Cloudfront domain name.

But the Cloudfront domain name gives an error message ( see below). Where could it come from? (I understand this should be the https website link no?) error message

FYII don't use an EC2 instance. I understand there is another way of getting an SSL by passing through providers like Namecheap - but it seems much more complicated ( compared to Amazon doing it for free).

Tsac token
  • 33
  • 3

1 Answers1

4

Probably your CloudFront origin is pointing at the wrong endpoint. Don't pick the auto-suggested bucket from the origin list, instead explicitly copy the endpoint shown in your S3 bucket under "Static website hosting", which should look something like example.com.s3-website-us-east-1.amazonaws.com. Otherwise you're pointing at the S3 bucket HTTP interface, not the website host.

Just to make sure, the entire process is basically:

  1. Set up the domain zone in Route 53 first, so it exists for the next step.
  2. In region US-East-1 (N. Virginia, important!), create a certificate request for the domain in Certificate Manager. Use DNS validation, and let AWS auto-insert the required records to your Route 53 configuration you created in 1.
  3. Create the S3 bucket.
  4. Explicitly set a custom bucket policy to allow anonymous access.
  5. Enable "Static website hosting" for the bucket. Note the displayed endpoint.
  6. Create a CloudFront distribution, add your domain name as Alternate Domain Name, choose the certificate created in 2. from the list, add the endpoint noted in 5. as origin.
  7. Update the Route 53 configuration to add an A (and AAAA) alias record, pointing to the CloudFront distribution, which you can choose from the auto-suggested list.
  8. Wait until everything is deployed.

Especially the certificate you'd want to create as described, since this allows it to auto-renew and you won't have to worry about it. CloudFront can only automatically use certificates created in region US-East-1, creating your certificates elsewhere means you'll need to down/upload them manually, and do that every time they expire.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • GOOD ! thanks I realised my mistake, I didn't add the index.html root in my cloudfront distribution – Tsac token Oct 03 '19 at 16:53
  • With only one CloudFront distribution, requests to example.com won't be redirected to www.example.com or vice-versa, right? – abalone Oct 12 '19 at 23:58
  • @abalone CloudFront won’t do any sort of redirecting like that. It would be the S3 backend that does that redirection if anything. You can have one CloudFront serve both domains if you create a certificate with both names and a distribution with both CNAMEs and point both names to this distribution in Route 53. – deceze Oct 13 '19 at 08:08
  • @deceze in that scenario www.example.com and example.com would serve duplicate content which should not be done I imagine. This will require two cloudfront distributions for the redirect to happen. – abalone Oct 19 '19 at 21:03
  • @abalone Duplicate content is a separate issue. Why would it need two distributions according to you? – deceze Oct 20 '19 at 07:27
  • @deceze Without two distributions duplicate content would be served. So although it's a separate issue, it's necessary to deal with which can only be done in the simplest way with two distributions. – abalone Oct 21 '19 at 21:21