[英]AWS SSL with Google Domain for static website in S3
I'm trying to add HTTPS to my static website hosted in an S3 bucket with a domain bought from Google's Domains.我正在尝试将 HTTPS 添加到托管在 S3 存储桶中的静态网站,该网站的域是从 Google 的域购买的。 I know that in order to set up CloudFront Distribution, I need to send the SSL Cert from AWS Certificate Manager to Google.
我知道为了设置 CloudFront Distribution,我需要将 SSL 证书从 AWS Certificate Manager 发送到 Google。
This is what I did:这就是我所做的:
From AWS Certificate Manager:从 AWS 证书管理器:
*.myweb.com
and myweb.com
, following this answer here .*.myweb.com
和myweb.com
,下面这个答案在这里。Name
, Type
and Value
for my CNAME.Name
, Type
和Value
。 I've looked at guide here , here , here and here without any luck.我看过指南here , here , here和here,没有任何运气。
Update 10 May: 5 月 10 日更新:
Many thanks to @hephalump for his help.非常感谢@hephalump 的帮助。 In addition to his answer, he sent to me this super helpful link from AWS .
除了他的回答之外,他还从 AWS向我发送了这个超级有用的链接。
In my case, it was slightly different from the video by Geoff:就我而言,它与 Geoff 的视频略有不同:
Name: mywebsite.com - Type: A - Value (ALIAS target): CloudFront Distribution (from the list).
Name: www.mywebsite.com - Type: A - Value (ALIAS target): mywebsite.com (on the bottom of the list).
and now it works.现在它起作用了。
Since you're using AWS services, you may wish to seriously consider using Route53 for your DNS;由于您使用的是 AWS 服务,您可能希望认真考虑将 Route53 用于您的 DNS; it will make your life a lot easier.
它会让你的生活更轻松。
Even if you're not using Route53 can still use the DNS validation method to validate your certificate.即使您没有使用 Route53,仍然可以使用 DNS 验证方法来验证您的证书。 Alternatively, if that's not working, you can use the Email verification method which is also very reliable.
或者,如果这不起作用,您可以使用也非常可靠的电子邮件验证方法。
To use the DNS validation method with Google domains you would do the following:要对 Google 域使用 DNS 验证方法,您需要执行以下操作:
On the AWS Certificate Manager certificate confirmation screen get something like:在 AWS Certificate Manager 证书确认屏幕上,得到如下内容:
NAME: _3341936be9c722351e9e3345d5118ee28.yourdomain.com.
名称:
_3341936be9c722351e9e3345d5118ee28.yourdomain.com.
TYPE: CNAME
类型:
CNAME
VALUE: _3341936be9c722351e9e3345d5118ee28.ltfvzjuylp.acm-validations.aws.
值:
_3341936be9c722351e9e3345d5118ee28.ltfvzjuylp.acm-validations.aws.
Head over to Google domain manager and go to the Custom Resource Records section.前往 Google 域管理器并转到自定义资源记录部分。 In the first field enter
_3341936be9c722351e9e3345d5118ee28
.在第一个字段中输入
_3341936be9c722351e9e3345d5118ee28
。 In the dropdown menu select CNAME.在下拉菜单中选择 CNAME。 In the TTL enter
1H
.在 TTL 中输入
1H
。 In the data field enter _3341936be9c722351e9e3345d5118ee28.ltfvzjuylp.acm-validations.aws
.在数据字段中输入
_3341936be9c722351e9e3345d5118ee28.ltfvzjuylp.acm-validations.aws
。 Finally, click Add.最后,点击添加。
Then wait.然后等待。 You have to wait for the DNS record to propagate, and you have to wait for ACM to check it.
您必须等待 DNS 记录传播,并且必须等待 ACM 检查它。 It could take up to 1 hour.
最多可能需要 1 小时。
EDIT: Since it seems you're using Route53 to handle your DNS this is really easy.编辑:由于您似乎正在使用 Route53 来处理您的 DNS,所以这真的很容易。 Regardless of where your bucket is, make sure you request your certificate in the US-EAST-1 (N. Virginia) region.
无论您的存储桶位于何处,请确保您在 US-EAST-1(弗吉尼亚北部)区域中请求您的证书。 Follow all the request steps and on "Step 4: Validation", when the certificate is generated click on "Create record in Route 53".
遵循所有请求步骤和“步骤 4:验证”,生成证书后,单击“在 Route 53 中创建记录”。 Wait 5 minutes and if Route53 is indeed handling your DNS then your cert will be ready to use.
等待 5 分钟,如果 Route53 确实在处理您的 DNS,那么您的证书就可以使用了。
I was trying the same, by adding CNAMEs using Google domain DNS manager.我正在尝试相同的方法,通过使用 Google 域 DNS 管理器添加 CNAME。 For me the issue was, instead of adding just the alphanumerical part, I was adding the entire string including the domain.
对我来说,问题是,我不是只添加字母数字部分,而是添加包括域在内的整个字符串。 Once I removed that, I believe, it might have taken less than an hour.
一旦我删除它,我相信,它可能需要不到一个小时。 Go through the below link and pay special attention to the one under 'important' section.
通过下面的链接并特别注意“重要”部分下的那个。 https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html
From the above link.从上面的链接。
The CNAME information that you need does not include the name of your domain.
您需要的 CNAME 信息不包括您的域的名称。 If you include your domain name in the DNS database CNAME record, validation fails.
如果您在 DNS 数据库 CNAME 记录中包含您的域名,验证将失败。 For example, the displayed Name may resemble the following:
例如,显示的名称可能类似于以下内容:
_a79865eb4cd1a6ab990a45779b4e0b96.yourdomain.com However, the required CNAME information only includes the following:
_a79865eb4cd1a6ab990a45779b4e0b96.yourdomain.com 但是,所需的 CNAME 信息仅包括以下内容:
_a79865eb4cd1a6ab990a45779b4e0b96
_a79865eb4cd1a6ab990a45779b4e0b96
Then in Permissions, in Bucket policy, select edit and put this:然后在权限中,在存储桶策略中,选择编辑并输入:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.basschimes.com/*"
}
]
}
If you forget to enable static website hosting before connecting to your CloudFront distribution, it will result in this error when trying to view your website:如果您在连接到 CloudFront 分配之前忘记启用静态网站托管,则在尝试查看您的网站时将导致此错误:
If this happens, you must reconnect your CloudFront distribution to your S3 bucket.
如果发生这种情况,您必须将 CloudFront 分配重新连接到 S3 存储桶。 Don't know why this is, but this is what happens.
不知道为什么会这样,但这就是发生的事情。
Head over to certificate manager前往证书管理器
VERY IMPORTANT: Change from your current location to US East (N. Virginia) us-east-1 .非常重要:从您当前的位置更改为US East (N. Virginia) us-east-1 。 The certificate must be requested from this region, no matter what.
无论如何,必须从该地区申请证书。 If you don't, and instead have Northern California for example, when you move onto the next step which is Cloudfront, your ssl certificate will not show up and you will not be able to complete your HTTPS setup.
如果您不这样做,而是以北加利福尼亚为例,当您进入下一步 Cloudfront 时,您的 ssl 证书将不会显示,您将无法完成 HTTPS 设置。 Not entirely sure why this is, but to use CloudFront, the region for your certificate must be US East (N. Virginia) us-east-1 .
不完全确定这是为什么,但要使用 CloudFront,您的证书区域必须是美国东部(弗吉尼亚北部) us-east-1 。
_123a456789012b3456c7d8ef901a234b.www
, Type: CNAME
, DATA something like: _fe098765432dc10b987a65f43e21098d.abcdefghij.acm-validations.aws.
_123a456789012b3456c7d8ef901a234b.www
,键入: CNAME
, DATA 类似: _fe098765432dc10b987a65f43e21098d.abcdefghij.acm-validations.aws.
For me it took 4 minutes after routing things up in Google Domains to get my certificate issued.对我来说,在 Google Domains 中路由内容后花了 4 分钟才能颁发我的证书。 So sip that coffee and take a breather while you wait!
所以,在你等待的时候啜饮那杯咖啡,喘口气! It shouldn't be long.
应该不会很久。
The certificate status will change to "Issued".证书状态将更改为“已颁发”。
Head over to CloudFront in AWS.前往 AWS 中的 CloudFront。
Now go to the hosted zone details if you're not already taken there.如果您还没有被带到托管区域详细信息,现在请转到托管区域详细信息。 You will now create a record to connect to our CloudFront distribution to add to the list of two records that you should already have there in your hosted zone.
您现在将创建一条记录以连接到我们的 CloudFront 分配,以添加到您的托管区域中应该已有的两条记录的列表中。
You are now done with the AWS side.您现在已经完成了 AWS 方面的工作。
You need to create a CNAME record for www.<your website name>.com for connecting to our Cloudfront distribution, and a redirect from <your website name>.com to www.<your website name>.com so that our users can put in our naked domain name and still get to our site.您需要为 www.<您的网站名称>.com 创建 CNAME 记录以连接到我们的 Cloudfront 分配,并从 <您的网站名称>.com 重定向到 www.<您的网站名称>.com,以便我们的用户可以输入我们的裸域名,仍然可以访问我们的网站。 As mentioned here: if google domains supported ANAME/ALIAS records, we would do things differently, where we would also create a Cloudfront distribution for our naked domain of <your website name>.com and route <your website name>.com to that cloudfront distribution within google domains.
正如这里提到的:如果谷歌域支持 ANAME/ALIAS 记录,我们会做不同的事情,我们还会为我们的 <your website name>.com 裸域创建一个 Cloudfront 分配,并将 <your website name>.com 路由到那个谷歌域内的 cloudfront 分布。 But since google doesn't support ANAME/ALIAS records, we have to redirect our naked domain to our domain, and then our domain to our cloudfront.
但是由于 google 不支持 ANAME/ALIAS 记录,我们必须将我们的裸域重定向到我们的域,然后将我们的域重定向到我们的 cloudfront。 Also you would have to create an s3 bucket for our naked domain, in which you could point it to the other s3 bucket, but I was having issues with that in terms of permissions.
此外,您还必须为我们的裸域创建一个 s3 存储桶,您可以在其中将其指向另一个 s3 存储桶,但我在权限方面遇到了问题。 But we don't have to worry about that, since google domains doesn't support ANAME/ALIAS records in the first place.
但我们不必担心这一点,因为谷歌域首先不支持 ANAME/ALIAS 记录。
Now this is fun, the AWS docs at the time of writing this say create a Synthetic Record within Google Domains , but Google Domains recently changed their interface.现在这很有趣, 撰写本文时的AWS 文档说在 Google Domains 中创建合成记录,但 Google Domains 最近更改了它们的界面。 It no longer calls them "Synthetic records" which was within their "DNS" page, you have to go to Google Domain's "Website" page and click "Forward Domain" and in there forward your naked domain of <your website name>.com to www.<your website name>.com.
它不再将它们称为“DNS”页面中的“合成记录”,您必须转到 Google Domain 的“网站”页面并单击“转发域”,然后在那里转发您的 <your website name>.com 裸域到 www.<您的网站名称>.com。 And then go to your DNS page and there make a CNAME record pointing your www.<your website name>.com to your CloudFront distribution.
然后转到您的 DNS 页面,并在那里创建一个 CNAME 记录,将您的 www.<您的网站名称>.com 指向您的 CloudFront 分配。
Everything @hephalump said, but also -- and I'm not a network engineer so insight into this would be appreciated: @hephalump 所说的一切,而且——而且我不是网络工程师,因此对这一点的深入了解将不胜感激:
I'm using AWS name servers as my custom name servers on my google domain -- so even thought my domain isn't registered with AWS the CNAME records still need to be placed in route 53我使用 AWS 名称服务器作为我的 google 域上的自定义名称服务器——所以即使我的域没有在 AWS 上注册,CNAME 记录仍然需要放在路由 53 中
If you swapped your name servers -- add the CNAMEs to Route53 instead of google如果您交换了名称服务器 - 将 CNAME 添加到 Route53 而不是 google
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.