Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CloudFront distribution and AWS issued certificate gives SSL_ERROR_NO_CYPHER_OVERLAP

Tags:

ssl

amazon-web-services

amazon-cloudfront

amazon-route53

I can't get the Internet <-> CloudFront <-> S3 Bucket working, using an AWS certificate. This is what I did:

  1. Created a certificate, a wildcard one, like: *.mydomain.example.
  2. Created a S3 bucket, no fiddeling with properties.
  3. Creating a CloudFront distribution, using the created S3 bucket URL as origin, selecting my certificate from step 1, choosing HTTP/2, HTTP/1.1, HTTP/1.0, and choosing HTTP to HTTPS redirect.
  4. Created an A alias in my hosted zone for the domain the certificate is issued for, pointing at my distribution URL.

After the distribution is created, my browsers all tell me this:

  • Firefox: SSL_ERROR_NO_CYPHER_OVERLAP
  • Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
  • Safari: Can't establish a secure connection.

I'm not sure if I've missed a step in the process of setting this up, I've tried fiddling with various parameters but nothing lets me through.

I read this blog post, saying that I might have forgotten adding alternate CNAMEs. This confuses me a bit, should I? In Route 53 I configured my full domain using something.mydomain.example and the certificate is a wildcard one.

Other blog posts and question answers indicates I should not, just use the A record and the CloudFront distribution URL/endpoint, as I have done.

like image 635
Wrench Avatar asked Mar 16 '17 21:03

Wrench

People also ask

What types of distributions does CloudFront provide?

AWS CloudFront supports two types of distributions: streaming and download. When a user requests static content with a CloudFront URL, the service finds the nearest edge location based on the request IP and caches the content in that location. All future requests from the same location will have reduced latency.

What benefit does AWS CloudFront provide?

Amazon CloudFront provides a simple API that lets you: Distribute content with low latency and high data transfer rates by serving requests using a network of edge locations around the world. Get started without negotiating contracts and minimum commitments.

Can I associate multiple SSL certificates with my Amazon CloudFront distribution?

Resolution. You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards.

What are the potential benefits of implementing a CloudFront distribution?

By using CloudFront, you can take advantage of the AWS backbone network and CloudFront edge servers to give your viewers a fast, safe, and reliable experience when they visit your website. A simple approach for storing and delivering static content is to use an Amazon S3 bucket.

3 Answers

So, in my update, I mentioned adding CNAMEs from a blog post. This was it, the second I did that, it started working.

To clarify, I did this to solve my problem:

  1. Edit your CloudFront distribution.
  2. Under the tab General, click edit.
  3. In the Alternate Domain Names text box, add (at least) the something.mydomain.example that you have configured to this distribution's endpoint/URL in Route53.
  4. Save your changes.

This solved it instantly for me, but remember that CloudFront configuration changes sometimes can take some time to be pushed out.

like image 171
Wrench Avatar answered Oct 23 '22 00:10

Wrench

As stated by OP in an edit error caused when a CNAME entry for the apex (naked) domain, www subdomain, other subdomain or other domain(s) are not listed in the distribution.

enter image description here

To fix add at least one CNAME to the distribution in CloudFront.

like image 39
vhs Avatar answered Oct 22 '22 22:10

vhs

Weird but true:

What actually fixed the issue for me was bumping the minimum cypher version up from TLSv1 to TLSv1.1_2016 in the CF Distribution.

Here's the relevant CloudFormation snippet:

HttpVersion: "http2"
ViewerCertificate:
  AcmCertificateArn: !Ref SslCertificateArn
  MinimumProtocolVersion: "TLSv1.1_2016"
  SslSupportMethod: sni-only

Weird because I don't understand why this change fixes anything. The browser should automatically negotiate the higher TLS version.

like image 2
Alex R Avatar answered Oct 23 '22 00:10

Alex R
Sign in to Comment

Related questions

How can I create a one time download link with Amazon S3?
What "desired instances" is needed for? AWS Amazon Webservices AutoScaling group
How to understand Amazon ECS cluster
AWS Can not deserialize instance of java.lang.String out of START_OBJECT
Can I remove the public IP on my instance without terminating it?
Does AWS Cognito remove the need for a 'users' table in my database?
AWS S3 local server for integration testing
How do you full text search an amazon s3 bucket?
Export AWS configuration as CloudFormation template
Why are AWS Batch Jobs stuck in RUNNABLE?
Difference between AWS SDK DynamoDB client and DocumentClient?
'ansible_date_time' is undefined
AWS API Gateway : Execution failed due to configuration error: No match for output mapping and no default output mapping configured
django-storages with multiple S3 Buckets
How to forward port in AWS Application load balancer (ALB) port forwarding
AWS Cloudformation: Conditionally create properties of resources
Best way to launch aws ec2 instances with ansible
Multiple Cloudfront Origins with Behavior Path Redirection
Write parquet from AWS Kinesis firehose to AWS S3
InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!