简体繁体 English

AWS CloudFront自定义SSL证书已禁用

[英]AWS CloudFront Custom SSL Certificate disabled

原文 2017-05-28 18:26:51 7 1 amazon-web-services/ ssl/ amazon-s3/ dns/ amazon-cloudfront

I have seen many posts on this topic, but I have not been able to resolve the issue, so I am posting my setup in case anyone knows what needs to be changed? 我已经看到过很多与此主题相关的帖子，但是我无法解决该问题，因此，如果有人知道需要更改什么，我将发布设置。

I have a domain purchased through Namecheap. 我有一个通过Namecheap购买的域名。 I have set custom DNS and added 4 name servers generated by the hosted zone in AWS Route 53. DNS lookup through whois.net shows the correct values. 我已设置自定义DNS并添加了由AWS Route 53中托管区域生成的4个名称服务器。通过whois.net进行的DNS查找显示正确的值。
In Route 53, I have added an A record to the Alias Target xxxxxxxxxxxxxx.cloudfront.net. 在Route 53中，我向别名目标xxxxxxxxxxxxxx.cloudfront.net.添加了A记录xxxxxxxxxxxxxx.cloudfront.net. So the traffic hits Route 53 and goes to CloudFront. 因此流量达到了Route 53并到达CloudFront。
In CloudFront, I have one distribution. 在CloudFront中，我只有一个发行版。 As Alternate Domain Names (CNAMEs), I have the following values: 作为备用域名（CNAME），我具有以下值：
- *.domain.com * .domain.com
- www.domain.com www.domain.com
- domain.com domain.com
Under origins, I have one record with the following Origin Domain Name: 在原产地下，我有一条记录具有以下原产地域名：
- domain.com.s3-website.az-name-1.amazonaws.com domain.com.s3-website.az-name-1.amazonaws.com
I am hosting website in an S3 bucket. 我将网站托管在S3存储桶中。 All HTTP requests are set to redirect to HTTPS. 所有HTTP请求都设置为重定向到HTTPS。
Lastly, I have created and verified a single certificate for the following domain names: domain.com, www.domain.com, *.domain.com 最后，我为以下域名创建并验证了一个证书： domain.com, www.domain.com, *.domain.com

I have read some answers that I should just wait and the custom SSL certificate option will become enabled. 我已经阅读了一些我应该等待的答案，并且自定义SSL证书选项将启用。 It's been more than day now, however, and there is no sign of that happening. 但是，已经超过一天了，并且没有发生这种情况的迹象。

My website works, but the misconfigured certificate (using the default *.cloudfront.net ) throws a warning popup in Safari, and worse, a warning page in Chrome which most people are not going to bypass. 我的网站可以运行，但是配置错误的证书（使用默认的*.cloudfront.net ）在Safari中引发警告弹出窗口，更糟糕的是，Chrome中的警告页面大多数人都不会绕过。

1 个解决方案

To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. 要将ACM证书与Amazon CloudFront一起使用，您必须在美国东部（弗吉尼亚北部）地区请求或导入该证书。 ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution. 与CloudFront分配相关联的该区域中的ACM证书被分配到为该分配配置的所有地理位置。

http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

CloudFront is not a regional service like most of the others. CloudFront不是像大多数其他区域服务那样的区域服务。 It's a global service with a single home region -- us-east-1. 这是一个全球服务，只有一个本地区域-us-east-1。 It can't see ACM certificates in any other region (you'd create certificates in other regions if you wanted to use them with Elastic Beanstalk or Elastic/Application Load Balancers). 它在任何其他区域都看不到ACM证书（如果要在Elastic Beanstalk或Elastic / Application Load Balancer中使用它们，则可以在其他区域中创建证书）。

From the description of what you observe, you didn't create the ACM certificate in us-east-1. 根据观察到的描述，您没有在us-east-1中创建ACM证书。

Create a new cert in us-east-1, and the option to use it should become available almost immediately in CloudFront. 在us-east-1中创建一个新证书，并且使用它的选项应该几乎可以在CloudFront中立即可用。