Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS ACM wildcard ssl certificate not working on domain

Tags:

ssl

amazon-web-services

amazon-elb

aws-certificate-manager

I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB. I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:

"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"

Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?

EDIT May 31, 2016

Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:

http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html

The command I used was:

aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com

Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!

like image 662
John Avatar asked May 30 '16 07:05

John

2 Answers

A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.

like image 76
Steffen Ullrich Avatar answered Sep 30 '22 02:09

Steffen Ullrich

When requesting a new certificate via the console, you can now add both *.domain.com and www.domain.com, before hitting next, in the next box, make sure you request to add another domain to the certificate.

like image 35
user2867432 Avatar answered Sep 30 '22 02:09

user2867432
Sign in to Comment

Related questions

how to get list of registered targets in AWS target group via CLI
How do you keep mongo running on a remote server?
Can I delete data (rows in tables) from Athena?
How do I take a backup of aws ec2 instance/ephemeral storage?
Invalidate all files in a folder in cloudfront console
How to get the HTTP method in AWS Lambda?
LATERAL VIEW EXPLODE in presto
Unexpected output of 'arch' on OSX (using Mac M1 installing elastic beans)
Athena: Query exhausted resources at scale factor
How to handle fields enclosed within quotes(CSV) in importing data from S3 into DynamoDB using EMR/Hive
How to use AWS CLI with Elastic Beanstalk?
How to implement dropzone.js to upload file into Amazon s3 server?
How to run AWS SDK with credentials from variables?
EC2 instance with a cross account IAM role
AWS S3 Generating Signed Urls ''AccessDenied''
Any way to search across all log streams in a cloud watch log group?
AWS RDS to PgAdmin Error saving properties Unable to connect to server: timeout expired [closed]
How can I (securely) download a private S3 asset onto a new EC2 instance with cloudinit?
Using Cloudfront to expose ElasticSearch REST API in read only (GET/HEAD)
AWS VPC Create Subnet in with different zone

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!