stackoom
  简体   繁体   中英

Using a different SSL certificate for different domains in CloudFront distribution?

 原文  2018-01-24 11:19:05       amazon-web-services/ amazon-cloudfront

Question

I have a CloudFront distribution which I'm using to serve static files (images etc) on my website. As of today it uses the default foo.cloudfront.net domain (with Amazon's free, built-in SSL certificate).

I want to switch this distribution over to a "real" domain that's part of my site (eg. media.mysite.com ). As soon I make this change in CloudFront (eg. switch from its Default CloudFront Certificate to my own *.mysite.com cert), will this break my existing files being served over https://foo.cloudfront.net ?

If this is the case then I'll need to somehow switch all the image sources on my site over to the new domain at the same time as enabling the custom SSL certificate for the distribution, which will be tricky.

On the other hand, reading the docs suggests that CloudFront might be doing some work to determine which certificate to use:

CloudFront uses the IP address to identify your distribution and to determine which SSL/TLS certificate to return to the viewer.

... possibly?

Does anyone have any experience with this sort of changeover, or is there a better way to switch domains without having to change a non-trivial amount of URL references simultaneously?

1 answers

solution1
 0 ACCPTED  2018-01-24 11:45:05

If I understood the concern,

  1. Your CloudFront URL https://foo.cloudfront.net will work after a switch to media.mysite.com .

  2. All you need to do is add a CNAME foo.cloudfront.net to domain media.mysite.com & define media.mysite.com as CNAME in cloudfront distribution settings. Also, add your cutom SSL certificate to the distribution.

  3. No, it won't break any of your contents until & unless you have hardcoded some dependency to the Cloudfront URL. Such as the requests Origin should be the Cloudfront URL etc.

CloudFront uses the IP address to identify your distribution and to determine which SSL/TLS certificate to return to the viewer.

Answer - This happens only if you have opted for Dedicated IP which means you want to serve all the users including the clients which doesn't support SNI. Below is what happens when you use SNI & not a dedicated IP -

When CloudFront receives the request, it finds the domain name in the request header and responds to the request with the applicable SSL/TLS certificate.

在此处输入图片说明

I guess you have not opted for a dedicated IP.

PS - I did this yesterday & it went smooth. It takes some time for Cloudfront deployment on Edge locations, be patient. Hope this helps!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using a Lambda function with a CloudFront distribution located in a different AWS account How to create another cloudfront distribution using same SSL certificates created in certificate manager Cloudfront certificate and hostname: can they be different? Multiple Domains With SSL CloudFront Using different SSL certificates for main domain & sub domains How to provision a CloudFront distribution with an ACM Certificate using Cloud Formation AWS: Custom SSL certificate option is disabled in CloudFront, but I created a SSL certificate using AWS Certificate Manager Adding Domains to AWS Cloudfront Distribution Via API CloudFront distribution and AWS issued certificate gives SSL_ERROR_NO_CYPHER_OVERLAP AWS CloudFront distribution with multiple s3 buckets in different regions
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM