Search code examples
csssslamazon-s3amazon-cloudfrontbucket

Cloudfront domain name not working to redirect HTTP to HTTPS using S3, Cloudfront, and Route 53

First post here - hello fellow stackoverflowers :)

Website issue. Bought domain on Google, hosting on S3. Used route 53 to redirect requests. Created 2 public buckets in S3, example.com and www.example.com (example.com redirecting to www)
WEBSITE WORKS - YES! Now let's get it https
Got the SSL amazon certificate for *.example.com via route 53 DNS confirmation. Uploaded it to my cloudfront distribution ( and in the parameters ensured http redirects to https).
Following this article (How to redirect HTTP to HTTPS using S3, Cloudfront, and Route 53 using naked domains? ), I now need to redirect requests from route 53 towards the Cloudfront domain name.

But the Cloudfront domain name gives an error message ( see below). Where could it come from? (I understand this should be the https website link no?) error message

FYII don't use an EC2 instance. I understand there is another way of getting an SSL by passing through providers like Namecheap - but it seems much more complicated ( compared to Amazon doing it for free).

Solution

  • Probably your CloudFront origin is pointing at the wrong endpoint. Don't pick the auto-suggested bucket from the origin list, instead explicitly copy the endpoint shown in your S3 bucket under "Static website hosting", which should look something like example.com.s3-website-us-east-1.amazonaws.com. Otherwise you're pointing at the S3 bucket HTTP interface, not the website host.

    Just to make sure, the entire process is basically:

    1. Set up the domain zone in Route 53 first, so it exists for the next step.
    2. In region US-East-1 (N. Virginia, important!), create a certificate request for the domain in Certificate Manager. Use DNS validation, and let AWS auto-insert the required records to your Route 53 configuration you created in 1.
    3. Create the S3 bucket.
    4. Explicitly set a custom bucket policy to allow anonymous access.
    5. Enable "Static website hosting" for the bucket. Note the displayed endpoint.
    6. Create a CloudFront distribution, add your domain name as Alternate Domain Name, choose the certificate created in 2. from the list, add the endpoint noted in 5. as origin.
    7. Update the Route 53 configuration to add an A (and AAAA) alias record, pointing to the CloudFront distribution, which you can choose from the auto-suggested list.
    8. Wait until everything is deployed.

    Especially the certificate you'd want to create as described, since this allows it to auto-renew and you won't have to worry about it. CloudFront can only automatically use certificates created in region US-East-1, creating your certificates elsewhere means you'll need to down/upload them manually, and do that every time they expire.