This has worked very well for many years.
Recently I had to recreate my Cloudfront distribution. So firstly I temporarily point search.jthinkws.com to jthinkws.elasticbeanstalk.com domain then disable and delete old distribution and then create new Cloudfront distribution. But it is no longer working because it will not allow me to add search.jthinkws.com as an alternate cname because it has no security certificate
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements
So I went to AWS Certifcate Manager to get a certificate but it says if I use DNS Validation then AWS will create CNAME records that cannot be modified, I am concerned this will break my configuration. Whois doen't list any email addresses (although they are visible within the company that I pay for the domain name) so Im not confident that will work either.
Any help appreciated.
Okay I have it working.
If you validate with DNS the record it creates is not for the domain but a subdomain such as
_72d863ce40127aac000cf4d20fe972ea.search.jthinkws.com
rather than
search.jthinkws.com
so it doesn't affect configuration, also if AWS is the DNS Manager for these domains then it can create the Route53 records for you.
A couple of problems I had:
When I first create certificate it created I am by default region EU-West Ireland but its turns out they have to be created in US East Virginia for Cloudfront to be able to use them.
You have to enter the arn of the certificate into Cloudfront, there is no dropdown so you have to got to Certificate Manager, view the certificate and copy and paste the ARN field
e.g
arn:aws:acm:us-east-1:623196878787496:certificate/d049878781-20b6-4cb5-a70a-6e86758936d2