Problem: ERR_SSL_VERSION_OR_CIPHER_MISMATCH when accessing a CloudFront CNAME through another CNAME
Context: We have a Cloudfront distribution which is linked to a CNAME say "my.originalurl.com"; the SSL certificate and alternate name configurations are all set up. Browsing https://my.originalurl.com returns the Cloudfront content without issues.
The configuration my.originalurl.com |CNAME| XXXX.cloudfront.net was done in DNS Provider 1.
Now we want to add another CNAME to point to the one above, that is: my.newurl.com|CNAME| my.originalurl.com. This was done in DNS Provider 2. We have a separate certificate for my.newurl.com, but haven't put it anywhere.
Browsing to https://my.originalurl.com still works, but browsing to https://my.newurl.com returns ERR_SSL_VERSION_OR_CIPHER_MISMATCH, with a similar error being reproducible when using different browsers.
What we have tried: The error makes me think we have to put the my.newurl.com certificate somewhere. Did the following tests:
- Checked through SSL Labs for a deeper explanation: Got "Failed to communicate with secure server"
- Browse to https://my.newurl.com: Certificate is not in there
Some options on where to put it:
- Directly on the Cloudfront Distribution, inspired by this question ( aws route53 CNAME to external site with SSL). However, looks like you can only have one certificate attached at a time. Merging both certificates is not an option.
- Adding the cert somewhere in DNS provider 2. A cert is needed even in "redirects" (https://webmasters.stackexchange.com/questions/118044/do-i-need-a-certificate-to-redirect-via-cname), but looks like it is not added in the DNS providers (Adding SSL to domain hosted on route 53 AWS), but rather on the servers (Cloudfront, returning to option 1). I know that in Cloudflare certs can be added directly though (not using it).
Is our set up even possible? I'm not even sure if anything from my.newurl.com should be configured in Cloudfront, since it isn't a direct parent of the XXXX.cloudfront.net url.
Thanks
