2

I am trying to configure my cloudfront distribution to route requests for mydomain.com to an S3 bucket and requests for mydomain.com/api/* to an ELB.

In route 53, I have dev.mydomain.com pointing to the cloudfront distribution with an alias record

Alias to cloudfront in route53

I have configured two origins in cloudfront - one to S3 and one to a publicly accessible ELB

Cloudfront origins setup

I have configured one (on top of default) behavior to route api/* requests to the ELB origin

Cloudfront behaviors setup

I have no issues with the S3 bucket. When I added the new behavior to route api/* requests to the ELB, I am receiving a 502 gateway error whenever I hit api/* routes.

When I make a request to the ELB from the origin I provided to Cloudfront, I am seeing the following response in Postman:

Error: Hostname/IP does not match certificate's altnames: 
Host: mydomain-api-dev-env.us-east-1.elasticbeanstalk.com. is not in the cert's altnames: DNS:*.mydomain.com

This leads me to believe the 502 is because the ELB url is not included in mydomain.com's cert.

Assuming that this is my issue, how would I go about resolving this certificate issue since I don't own the elasticbeanstalk.com domain?

pantaphobic
  • 75
  • 1
  • 6

1 Answers1

2

You have to associate your own domain with the load balancer and add proper SSL to it. Then in your CF distro, you are going to use your own ALB's domain, not the one provided by AWS.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Is there a way to do this without creating a subdomain specifically for the ALB? Do you have an example A record I could look at to see how this would be done in route53? Since dev.mydomain.com is already associated to the cloudfront distro, how would I associate the ALB to the domain? – pantaphobic Oct 02 '21 at 14:56
  • @pantaphobic Yo can create second subdomain for the ALB, and get free SSL cert from AWS ACM for it. – Marcin Oct 02 '21 at 23:36
  • 1
    I ended up creating an A record from dev-api.mydomain.com to the ELB. Then, in cloudfront I created a new origin pointing to dev-api.mydomain.com instead of the ELB so the certificate would be valid. – pantaphobic Oct 02 '21 at 23:36