Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudFront: Adding alternate CNAME with imported cert into ACM fails

0

Hello,

I'm trying to update a CloudFront distribution with an alternate name that is a CNAME to the same cloudfront distribution. The certificate imported into ACM is valid and signed by Sectigo Limited.

When I try to add the alternate name I receive the message:

The certificate that is attached to your distribution was not issued by a trusted Certificate Authority. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

I removed other distribution that had this name, and the certificate was in use with this same CNAME without issues. Also I've had tried invalidating the cache, updating the values again, with no luck.

So, I've checked:

  • Certificate authority (also the cert was already in user).
  • Validity.
  • CNAME points to cloudfront.
  • There are not duplicates.
  • Cert configured in us-east-1, but was being used in another cfn dist with the same cname.

Is it possible that something else is failing in cfn validation to input the alternate name?

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudFrontAWS Certificate ManagerDomain Name System (DNS)
Language
English
asked a year ago136 views
2 Answers
3

CloudFront is more strict in that it validates the certificate chain, from leaf cert (i.e. actual cert) to intermediate cert(s).

You may want to re-import the cert, and include intermediate cert(s) in the Certificate chain section. To get intermediate cert, this article may help

Alternatively, you can also use ACM in us-east-1 Region to request a free public TLS cert

AWS
EXPERT
answered a year ago
EXPERT
reviewed a year ago
0

Based on the information provided, it seems that you're encountering an issue with adding an alternate domain name (CNAME) to your CloudFront distribution using a certificate imported into AWS Certificate Manager (ACM). While you've already checked several important factors, there are a few additional points to consider:

  1. Certificate Chain: Ensure that the complete certificate chain, including any intermediate certificates, was properly imported into ACM. Sometimes, issues can arise if the full chain is not present.

  2. Certificate Format: Verify that the certificate was imported in the correct format. ACM has specific requirements for imported certificates.

  3. Region Specificity: Although you mentioned the certificate is configured in us-east-1, double-check that it's in this specific region, as CloudFront requires certificates to be in the US East (N. Virginia) region.

  4. ACM vs IAM: Confirm that you're using the certificate from ACM and not accidentally referencing an old IAM certificate store version.

  5. Certificate Expiration: Even though you've checked validity, ensure the certificate hasn't expired since it was last used.

  6. CloudFront Cache: While you've tried invalidating the cache, sometimes changes can take time to propagate. You might need to wait a bit longer for the changes to take effect.

  7. AWS Support: If all else fails and you've double-checked all these points, it might be worth contacting AWS Support. There could be an underlying issue with the CloudFront distribution or the way the certificate is being validated.

Remember, when moving an alternate domain name between distributions, it's important to follow the proper steps, including creating a DNS TXT record to validate your ownership of the alternate domain name. If you haven't done this, it might be worth revisiting that process.

If the issue persists after checking these points, you may need to consider re-importing the certificate into ACM or potentially obtaining a new certificate to resolve the problem.
Sources
Move an alternate domain name to a different distribution - Amazon CloudFront
Add an alternate domain name - Amazon CloudFront
Configure alternate domain names and HTTPS - Amazon CloudFront

answered a year ago
EXPERT
reviewed a year ago
  • Diego
    a year ago

    1 and 2, are unlikely, having that the certificate was correctly imported in ACM. 3. Region is us-east-1. 4. ACM 5. Cert is valid. 6. I let time pass, how long would be recommended to wait for?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content