By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DNS certificate is valid and installed on cloudfront distribution, but browser not recognizing

0

I let an email validated certificate expire on an S3 bucket used for static web hosting so that I could switch to a DNS-validated cert. Historically the S3 buckets was reached through x.primarydomain.com, and is named accordingly.

I successfully requested the cert, updated my DNS, the cert validated quickly, and I successfully installed it on the associated cloudfront distribution. So all good, right? No. After 24 hours the browser is resolving to an expired certificate on our 3rd party website host that handles traffic on the primary domain, primarydomain.com.

I'm thinking the problem is the existence of a wildcard A record in our DNS that is pointing to the 3rd party host's server. Does this theory make sense?

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Website ProvisioningAmazon CloudFrontAWS Certificate ManagerDomain Name System (DNS)
Language
English
rePost-User-7689836
asked 10 months ago311 views
1 Answer
2
Accepted Answer

Based on your description, it does sound like your DNS settings could be at the heart of this issue. Here are some things to check:

  1. Wildcard A Record: A wildcard A record can indeed cause problems as it will take precedence for any subdomains not explicitly defined in your DNS. If there is a wildcard A record pointing to the third party host's server, requests to your x.primarydomain.com may resolve to that server instead of your CloudFront distribution, which would then serve its own (possibly expired) certificate. You should check your DNS settings and make sure that there is an explicit A (or possibly CNAME) record pointing x.primarydomain.com to your CloudFront distribution.

  2. DNS Propagation: Even after updating your DNS records, the changes might not be immediately visible everywhere due to DNS propagation delay. It can take up to 48 hours (or even more in some rare cases) for DNS changes to propagate fully throughout the internet. If you've already waited this long and are still experiencing issues, this is likely not the problem.

  3. CloudFront Distribution Settings: Ensure that you have correctly configured your CloudFront distribution to use the custom SSL certificate. Verify that your CloudFront distribution is associated with the correct domain name (x.primarydomain.com) and that the new SSL certificate is assigned to the distribution.

  4. Certificate Validation: Also, verify the details of the SSL certificate. Ensure that it is valid, issued for x.primarydomain.com, and trusted by the browser. You can use online tools like SSL Labs' SSL Server Test to diagnose issues with your SSL configuration.

If all of the above is in order, the problem may lie somewhere else. It's always recommended to work closely with your DNS provider and AWS support when diagnosing these kinds of issues.

profile picture
EXPERT
Ivan Casco
answered 10 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 10 months ago
  • Gary Mclean EXPERT
    10 months ago

    Ivan is spot on

  • Ivan Casco EXPERT
    10 months ago

    Thanks, Gary! rePost-User-7689836 If the answer is helpful, please click "Accept Answer" and upvote it.

  • rePost-User-7689836
    10 months ago

    Thanks so much for you thorough info. I had inadvertently deleted the CNAME record pointing to Cloudfront (insert facepalm). Restoring that fixed everything, and the wildcard A record remains with now no ill effect.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content