Subdomain on CloudFront not working (certificate not accepted)

Question

• In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
• In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
• When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:

com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)

Am I missing something? The other distribution for the top level domain is working fine with the same certificate.

Answer 1

Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain

That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.

Answer 2

Figured it out.

The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).