Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I resolve the "CNAMEAlreadyExists" error when I set up a CNAME alias for my CloudFront distribution?
When I set up a canonical name record (CNAME) alias for my Amazon CloudFront distribution, I get a "CNAMEAlreadyExists" error.
Short description
You can't use the same CNAME alias for more than one CloudFront distribution. When the CNAME alias that you want to add is already associated with another CloudFront distribution, you receive the following error:
"One or more of the CNAMEs you provided are already associated with a different resource. (Service: AmazonCloudFront; Status Code: 409; Error Code: CNAMEAlreadyExists; Request ID: a123456b-c78d-90e1-23f4-gh5i67890jkl*"
If you have access to both source and target distributions, then manually remove the CNAME association from the existing CloudFront distribution. Then, associate the CNAME with the new CloudFront distribution.
Note: To manually associate the CNAME, you might need to wait until the existing distribution's status is Deployed.
To get partial information about the distribution and the AWS account ID for the conflicting CNAME alias, run the list-conflicting-aliases AWS Command Line Interface (AWS CLI) command. Then, run the associate-alias command to move your CNAME from the existing distribution (source distribution) to the new distribution (target distribution).
Use one of the following resolutions based on your scenario:
- For source and target distributions that are in the same account, see the Move your CNAME section.
- For cross-account source and target distributions, see the Deactivate the source distribution with the conflicting CNAME section.
- If you can't deactivate the source distribution, then see the Use a wildcard to move the alternate domain name section.
Note: You can't use a wildcard to move an apex domain (example.com). To move an apex domain when the source and target distributions are in different accounts, see Contact Support to move an alternate domain name.
Resolution
Move your CNAME
Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
You must have access to both the source distribution and target distribution to move the CNAME.
To move your CNAME, complete the following steps:
-
In the AWS Identity and Access Management (IAM) policy of the user or role that makes the API request, add the following resource-level permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudFrontCnameSwapSameAcc", "Effect": "Allow", "Action": [ "cloudfront:GetDistribution", "cloudfront:ListConflictingAliases", "cloudfront:AssociateAlias", "cloudfront:UpdateDistribution" ], "Resource": [ "arn:aws:cloudfront::SourceAcccount:distribution/SourceDistroID", "arn:aws:cloudfront::TargetAccount:distribution/TargetDistroID" ] } ] }Note: The IAM user or role must have the preceding permissions in the source distribution and target distribution. In the preceding policy, replace SourceAcccount with the source distribution's account number and SourceDistroID with the source distribution's ID. Also, replace TargetAccount with the target distribution's account number and TargetDistroID with the target distribution's ID.
-
Run the list-conflicting-aliases command to find the distribution that has the conflicting CNAME:
aws cloudfront list-conflicting-aliases --distribution-id YourDistributionID --alias YourCNAMENote: Replace YourDistributionID with your distribution's ID and YourCNAME with the conflicting CNAME alias.
-
Create a DNS TXT record for the CNAME that resolves to the target distribution's canonical name to verify ownership. Your TXT record must include an underscore before the CNAME, apex, or wildcard:
_.example.com. 900 IN TXT "dexample123456.cloudfront.net"_cname.example.com. 900 IN TXT "dexample123456.cloudfront.net" _*.example.com. 900 IN TXT "dexample123456.cloudfront.net"Note: To verify ownership of the domain, you must have read access to YourDistributionID. You must also have an SSL/TLS certificate that's associated with the CloudFront distribution that secures the conflicting CNAME.
-
Verify that the target distribution has a valid SSL/TLS certificate.
Note: The subject name or subject alternative name must match or overlap with the CNAME alias. It's a best practice to have a valid certificate that's issued from AWS Certificate Manager or a trusted certificate authority (CA) that's listed in Mozilla's CA certificate list. For more information, see Certificate Authorities on the Mozilla website. -
Run the associate-alias command from the account that owns the target distribution:
aws cloudfront associate-alias --target-distribution-id YourTargeDistributiontID --alias your_cname.example.comNote: Replace YourTargeDistributiontID with your target distribution's ID and your_cname.example.com with your domain.
Deactivate the source distribution with the conflicting CNAME
For source and target distributions that are in different accounts, turn off the source distribution that's associated with the conflicting domain. Then, follow the steps in the Move your CNAME section.
To turn off the source distribution that's associated with the conflicting domain, complete the following steps:
- Open the CloudFront console.
- In the navigation pane, choose Distributions.
- Select the source distribution, and then choose Disable.
If you don't have access to the account that contains the source distribution or you can't deactivate the source distribution, then contact AWS Support.
Use a wildcard to move the alternate domain name
If your source and target distributions are in different accounts but you can't deactivate the source distribution, then use a wildcard to move the CNAME.
In the following procedure, wait for each distribution to fully deploy the updates before you proceed to the next step.
To move the alternate domain name, complete the following steps:
-
Update the target distribution to add a wildcard CNAME for the alternate domain name that you want to move. For example, if your domain is www.example.com, then add the wildcard alternate domain name *.example.com to the target distribution.
Note: You must have an SSL/TLS certificate on the target distribution that secures the wildcard domain name. -
Update the DNS record for the CNAME to route traffic to the target distribution's canonical name:
www.example.com. 86400 IN CNAME "dexample123456.cloudfront.net"Note: Because the alternate domain name is still associated with the source distribution, the source distribution receives the requests that use the alternate domain name. The target distribution receives the requests only after you remove the alternate domain name from the source distribution.
-
Update the source distribution to remove the alternate domain name.
Note: During the update, there's no interruption to the live traffic. Because the requested domain name matches the wildcard domain that you added to the target distribution, live traffic uses the target distribution settings. -
To add the alternate domain name that you want to move, update the target distribution.
-
To validate the DNS record for the CNAME, use dig or a similar DNS query tool:
dig CNAME www.example.com +shortnslookup example.com -
(Optional) To remove the wildcard alternate domain name, update the target distribution.
- Language
- English
Hi, I want to ask if something needs to be changed in the action list when I have the apex domain. In my case source and target distributions are in different AWS accounts but the source distribution can't be deactivated (production environment).
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
What do I do when the list-conflicting-aliases command doesn't list any other distributions other than the one I'm running the command for?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I followed the "Use a wildcard to move the alternate domain name" section and was able to perform a no-downtime cutover from one distribution to another.
However, this guide could be clearer in a number of areas:
- Make it clear that traffic does not cut over until step 3 (when the alternate domain name is removed from the source distribution)
- Clarify whether two (or more) distributions can share the same wildcard-based alternate domain name in parallel
It's surprising to me that the user-managed DNS record(s) that point the alternate domain name to the Cloudfront distribution don't actually control where traffic goes. It seems like Cloudfront implements some additional routing logic, such that the distribution your traffic gets routed to is primarily a function of where the alternate domain name is associated. While that makes sense given Cloudfront's global design, I would love to see some documentation that explains this behavior in more detail.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I tried using amplify, it failed a deployment, but it created a cloudwatch distribution which is now blocking my cname from being attached to a successful deployment of a cloudwatch distribution i've created. { "ConflictingAliasesList": { "MaxItems": 100, "Quantity": 1, "Items": [ { "Alias": "<my cname>", "DistributionId": "******63JE7JU", "AccountId": "******095307" } ] } } ending in 095307 is not my account, and this is not my distribution id, i'm willing to wager that it's amplify service account id. and that distribution id is something the aws team will need to delete before my cname is freed up again to connect to my successful cloudfront distribution
Relevant content
- asked 5 years ago
- asked 9 months ago
- asked 4 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 months ago