By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cloudfront and Classic Load Balancer SSL certificate mismatch

0

I have a Vuejs app stored in a S3 bucket, with a Cloudfront distribution pointing to that static-website enabled origin. I have domain names "mydomain.com" and "*.mydomain.com" (registered with Route53) as the Cloudfront Distribution's Alternate domain names. I can access https://mydomain.com on the internet; I have Route53 records pointing to the Cloudfront distribution's domain, and the Custom SSL certificate set as one created through AWS Certificate Manager (ACM).

Now, my backend server is hosted on a ec2 instance, and does not handle https. I have set up a classic load balancer in front of the ec2 instance to take the HTTPS requests and forward it as HTTP to my ec2 instance. The health checks pass at Ping Target "HTTP:8080/", and so the listener is set to take HTTPS from Load Balancer Port 443, and to forward it as HTTP on Instance Port 8080.

The Cloudfront Distribution and the Load Balancer share the same SSL certificate, and the certificate has domains "mydomain.com" and "*.mydomain.com". When the frontend client (from https://mydomain.com) makes a network request to the DNS of the load balancer, why does the browser give net::ERR_CERT_COMMON_NAME_INVALID error? The Cloudfront distribution and the load balancer share the same SSL certificate with the correct names, don't they?

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Elastic Load BalancingAmazon CloudFrontAmazon Route 53AWS Certificate ManagerClassic Load Balancer
Language
English
brian
asked 8 months ago329 views
1 Answer
1
Accepted Answer

Hello.
Is the access from Cloudfront to the Classic Load Balancer accessed by the domain used by ACM?
I think that the domain that is configured for Classic Load Balancer must be configured as a subdomain of "mydomain.com" to be able to use the ACM certificate.
Also, can you confirm that access to the Classic Load Balancer is normal when accessing it directly with HTTPS?
Please review the following documents for general troubleshooting instructions.
https://repost.aws/knowledge-center/cloudfront-https-connection-fails

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
profile picture
EXPERT
JimmyDqv
reviewed 8 months ago
  • brian
    8 months ago

    I think the domain used by ACM is accessing the CLB, though I'm not sure how to check that. Would I create that subdomain on route53, point records to the DNS of the load balancer, and also add that subdomain to the SSL certificate? I am not able to access the CLB directly with HTTPS. Edit: I created a subdomain with route53, and can now access the CLB directly with HTTPS. But the certificate already included *.mydomain.com

  • Riku_Kobayashi EXPERT
    8 months ago

    Once the domain is set up on the load balancer, the certificate issued by ACM must be configured. Please refer to the following document for the setup procedure. https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb

    Also, CloudFront should point the origin setting to the domain configured in the CLB.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content