I want to create an S3 bucket in the Frankfurt zone, and make the files accessible with the URL: https://files.stample.co/filename
So I want both HTTPS, and a custom DNS alias (CNAME) at the same time.
According to what I understand, Amazon has a wildcard certificate for URL https://*.s3.amazonaws.com
.
So this wildcard will:
https://stample-files.s3.amazonaws.com
https://files.stample.co.s3.amazonaws.com
So what I understand and confirmed by other StackOverflow posts is that if I want SSL to work I have to use a bucket name with no dot otherwise the Amazon certificat with wildcard won't match the bucket domain.
On this S3 documentation, under Customizing Amazon S3 URLs with CNAMEs
section:
Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.
The bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.
This seems to be for technical reasons because otherwise Amazon can't know the bucket we try to target:
Because Amazon S3 sees only the original host name www.example.com and is unaware of the CNAME mapping used to resolve the request, the CNAME and the bucket name must be the same.
So what I understand here is that for CNAME to work, we have to use dots in the bucketname.
If I use dots in bucket name:
If I don't use dots in bucket name:
I've tested both cases and could not make SSL and CNAME work fine together.
What can I do to make both work? It seems to me that what I want to achieve is not very fancy...
It seems it is currently not possible to do by using S3 only, but it is possible with CloudFront as it supports custom certificates.
CloudFront is not very expensive and can even be cheaper than S3 in some cases. It support custom certificates for free when using SNI (however it's not supported by older browsers like < IE7, < Chrome6, < Firefox 2.0)
I'll take as example that you want to use https://files.mydomain.com
to point to an S3 bucket called mydomain-files
(the bucket name does not mater and can contain dots).
According to "Michael - sqlbot" anwser, it is required to use a custom certificate. My initial assumption was that using a CNAME will permit to use Amazon S3 wildcard certificate while using my custom domain but this was false: a custom certificate is absolutly required, and is possible to setup with CloudFront only, not S3.
You can use whatever certificate provider you want but here I take StartSSL (StartCom) which provide free SSL certificates (limited to one subdomain and 1 year however).
mydomain.com
files.mydomain.com
openssl rsa -in files.key -out files.key
cat sub.class1.server.ca.pem ca.pem >> chain.crt
/cloudfront/
aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file://chain.crt --path /cloudfront/CUSTOM_PATH/
files.mydomain.com
CUSTOM_CERTIFICATE_NAME
you choose when uploading)https://xyzxyzxyz.cloudfront.net/file
mydomain.com
DNS configurationfiles IN CNAME xyzxyzxyz.cloudfront.net
You should now be able to access your files with https://files.mydomain.com/file
. The certificate will be your custom certificate generated for files.mydomain.com
so everything will work fine.