By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSL/TLS Certificate Issue on CloudFront Distribution for Static Website

0

Hello AWS Community,

I am encountering a persistent issue with my SSL/TLS certificate not being recognized by CloudFront for my static website hosted on an S3 bucket. Despite following AWS documentation and various troubleshooting steps, I am unable to resolve the issue. Below are the details of the problem and the steps I have taken:

Issue:

  • My domains are resolving correctly to the CloudFront distribution, but browsers and SSL checkers report that no SSL certificates are found.
  • The website is not accessible via HTTPS and HTTP, and SSL Labs reports "Failed to communicate with the secure server."

Environment Setup:

  • The website is hosted on an S3 bucket, configured for static website hosting.
  • CloudFront distribution is set up with the S3 bucket as the origin.
  • An SSL/TLS certificate from AWS ACM has been issued and associated with the CloudFront distribution.
  • DNS records on Route 53 are correctly pointing to the CloudFront distribution.

Steps Taken:

  1. Verified DNS Propagation: Confirmed that DNS has fully propagated, and the domain is pointing to the correct CloudFront Distribution using WhatsMyDNS.
  2. Checked CloudFront Distribution: Ensured the distribution is correctly configured, SSL/TLS certificate is valid, and Origin Domain Name is set correctly.
  3. Checked S3 Bucket Configuration: Validated the S3 bucket configuration and permissions.
  4. Checked Error Codes: No specific error codes are received that could point to the problem.
  5. Enabled Access Logs: Inspected access logs for the CloudFront distribution.
  6. Invalidated CloudFront Cache: Created invalidation in CloudFront after making changes to the S3 bucket.
  7. Verified SSL/TLS Certificate: Reconfirmed that the SSL/TLS certificate is correctly associated with the CloudFront distribution and covers both www and non-www versions of the domain.

Despite these efforts, the issue persists. The CloudFront distribution appears online, but the SSL/TLS certificate is still not recognized. I have waited for several hours for potential propagation and settings to take effect, but there has been no change.

I would greatly appreciate any insights or suggestions on what might be going wrong, or any additional steps I can take to troubleshoot and resolve this issue.

Thank you in advance for your assistance!

Topics
StorageComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceWebsite HostingAmazon CloudFrontAmazon Route 53AWS Certificate Manager
Language
English
profile picture
Kirill
asked 7 months ago381 views
2 Answers
1
Accepted Answer

Hello.

Is it possible to access CloudFront by its DNS name (yyyyy.cloudfront.net)?
Is OAC configured in the S3 bucket policy?
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Also, for CloudFront, I assume you have tied the domain and the SSL certificate using the settings in the following document, but are you sure you have configured it correctly?
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html

profile picture
EXPERT
Riku_Kobayashi
answered 7 months ago
profile pictureAWS
EXPERT
secondabhi_aws
reviewed 7 months ago
0

Hello everyone, Thank you for your help guys!

I have resolved the issue I was facing with the SSL/TLS certificate not being recognized by CloudFront for my static website hosted on an S3 bucket. I want to share the solution with the community in case anyone else encounters a similar problem.

The key to solving this problem was adjusting the configuration between Amazon S3 and Amazon CloudFront. Specifically, I needed to disable the Static Website Hosting feature on my S3 bucket. This adjustment revealed additional settings related to Origin Access Control (OAC) in the CloudFront Distribution settings, which were not visible before.

After disabling the Static Website Hosting, I went back to my CloudFront distribution. Under the "Origins and Origin Groups" tab, I edited the origin settings. The option to configure Origin Access Control (OAC) was now available, and I set it up according to the AWS documentation. Update S3 Bucket Policy:

I updated the S3 bucket policy to grant permission to the CloudFront distribution. After making these changes and waiting for the CloudFront distribution to deploy, the SSL/TLS certificate was recognized, and the website is now accessible over HTTPS.

I hope this solution can help others facing similar challenges. I appreciate the support and suggestions provided by the community members, which guided me in the right direction.

Thank you,

profile picture
Kirill
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content