403 Error with SSL Cloudfront Static S3 website

0

Hi,

First time posting here so please be gentle :-)

I have set up a very basic S3 site with Domain name using Route 53. All works swell on HTTP, I have followed a few guides and am banging my head against a brick wall. I used AWS certificate manager to create a wildcard certificate for *.mydomainname.com.... all works fine. created the cname records required in Route 53, all looks ok.

Created a Cloudfront distribution and attached the certificate, and pointed to my S3 endpoint.

I then updated my A name records to point to my cloudfront distribution. on http I get a 403 error, on https I now get an error of : "This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner."

When I curl the domain I get the following errors on http and https on my domain and cloudfront domain name

C:\Users>curl -I http://example.cloudfront.net
HTTP/1.1 301 Moved Permanently
Server: CloudFront
Date: Tue, 03 Sep 2019 13:17:52 GMT
Content-Type: text/html
Content-Length: 183
Connection: keep-alive
Location: https://mysite.cloudfront.net/
X-Cache: Redirect from cloudfront
Via: 1.1 example.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR62-C2
X-Amz-Cf-Id: S1MQtfkSEz9ZCMJwJMBmXY2s-EuKqKbOvr8ncQJVHknlqN6dt5Qkpg==

C:\Users>curl -I https://example.cloudfront.net
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 234
Connection: keep-alive
Date: Tue, 03 Sep 2019 13:04:32 GMT
Cache-Control: no-cache
Last-Modified: Sat, 10 Aug 2019 19:57:14 GMT
ETag: "ba30a221741da38d0f133cfd1524a452"
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 (CloudFront)
X-Amz-Cf-Pop: LHR62-C2
X-Amz-Cf-Id: b0HMW-WdPpe5ffTrJCc69uXil_3FSyjV0YDekoQ7k23r1cRO21Ubvg==

C:\Users>curl -I http://mysite.com
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Tue, 03 Sep 2019 13:05:15 GMT
Content-Type: text/html
Content-Length: 556
Connection: keep-alive
X-Cache: Error from cloudfront
Via: 1.1 415cafe4893fa18caeab8a2e966de6c1.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR62-C2
X-Amz-Cf-Id: MtGq2dHVISm9pKZqfdbpjqfjekV5Mp6j8ZvGhGo-x3Aqau9fBzpZtA==

C:\Users>curl -I https://mysite.com
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

Someone please help as I'm not sure what I'm doing wrong, porbably DNS but it all looks ok to me and the amazon support seems to be telling me the same thing over and over. Thank you in advance.

asked 5 years ago1357 views
4 Answers
0
Accepted Answer

Pieceratops wrote:

Thank you for replying it is much appreciated. In my certificate I have additional names for www.mysite.com and mysite.com of which I have CNAME entires in Route 53. Is that enough?

Yes, that should be enough for the certificate.

1) it looks like your "mysite.com" domain is not associated with your CloudFront distribution through a alternate domain name entry.

I thought this was done through association at the beginning of the cloudfront set up? So I used my S3 as the origin?

I see that you've set up S3 as your origin, but when I view your CloudFront distribution settings, the only internet domain name associated with it from a customer viewer point of view is d123.cloudfront.net name. With that name, only the default CloudFront certificate will be used. Even if you have Route 53 correctly configured to point 'mysite.com' to your CloudFront distribution, CloudFront won't recognize the incoming request as one that's associated with your distribution, because you don't have the alternate domain entry configured. (Or if you do, I can't see it and there's a defect that we need to look into.)

Follow ONE of these:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html has instructions that make it a one stop shop;
-OR-
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-updating-cloudfront takes you through a bit more of the CloudFront console pages, and explains the different CloudFront options.

I would also suggest turning on logs, especially while getting things set up-- they're a huge help for debugging. If you're concerned about having logs pile up, you can configure S3 to automatically delete them after a short period of time.

I have CNAME entries for mysite.com and www.mysite.com which were automatically created when I requested the cert (the handiness of using Route 53), are these just for the validation? I changed them to point to the cloudfront distribution but nothing seems to have changed?

I have A records for mysite.com and www.mysite.com both pointing to my S3 bucket. I know this is something stupid I am doing but I have tried so many different combinations that I'm baffled now

Edited by: RonS@AWS on Sep 5, 2019 6:47 PM --removed extra instructions that weren't required any longer--

AWS
answered 5 years ago
profile picture
EXPERT
reviewed 3 days ago
0

Hi there-- There's a couple of things you need to do to make that last step work:

  1. it looks like your "mysite.com" domain is not associated with your CloudFront distribution through a alternate domain name entry.
  2. Pay attention to https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements . Specifically, you say that your cert is for *.mysite.com, however you attempted to connect to 'mysite.com'. The cert that you're associating with your account will treat those differently.

Hopefully those two things will get you launched!

AWS
answered 5 years ago
profile picture
EXPERT
reviewed 3 days ago
0

Hi,

Thank you for replying it is much appreciated. In my certificate I have additional names for www.mysite.com and mysite.com of which I have CNAME entires in Route 53. Is that enough?

1) it looks like your "mysite.com" domain is not associated with your CloudFront distribution through a alternate domain name entry.

I thought this was done through association at the beginning of the cloudfront set up? So I used my S3 as the origin?

I have CNAME entries for mysite.com and www.mysite.com which were automatically created when I requested the cert (the handiness of using Route 53), are these just for the validation? I changed them to point to the cloudfront distribution but nothing seems to have changed?

I have A records for mysite.com and www.mysite.com both pointing to my S3 bucket. I know this is something stupid I am doing but I have tried so many different combinations that I'm baffled now :-(

Thanks again

Edited by: Pieceratops on Sep 4, 2019 12:03 AM

Edited by: Pieceratops on Sep 4, 2019 12:17 AM

Edited by: Pieceratops on Sep 4, 2019 1:08 AM

answered 5 years ago
0

Thank you! I had not created the alternate domains on my cloudfront distribution! Once I did that the http to https redirect started working correctly.

Many thanks again for your help.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions