0

I am unable to setup HTTPS with a static website hosted on S3. I followed the official documentation and also some tutorials, but still cannot troubleshoot it. My setup is as follows.

First, I request for a SSL cert via AWS Certificate Manager. In fact, I've requested 2 of them, and neither of them helps to make HTTPS work. The SSL cert domains look like the following. I've verified that the status is issued.

  • *.mydomain.com
  • sub.mydomain.com

Note that my domain name is registered with Google Domains. I have 3 CNAME entries as follows.

  • one for the *.mydomain.com
  • one for the sub.domain.com
  • one for HTTP back to the S3 bucket

On CloudFront, I then create a distribution. The Origins and Origin Groups is

  • Origin Domain Name and Path=sub.mydomain.com.s3.amazonaws.com
  • Origin ID=S3-sub.mydomain.com
  • Origin Type=S3 Origin

The Behaviors is

  • Path Pattern=Default(*)
  • Origin or Origin Groups=S3-sub.mydomain.com
  • Viewer Protocol Policy=Redirect HTTP to HTTPS

On different tutorial sites, I've seen the recommended Viewer Protocol Policy to be one of any values (e.g. HTTP and HTTPS, Redirect HTTP to HTTPS, HTTPS Only). I tried all 3 values, and did not get the desired effect (very costly to tinker around since each change takes 15+ minutes to be deployed).

After the CloudFront distribution's is Status=Deployed and State=Enabled, I tried to go to my site via HTTPS, but it just hangs and timeout. The HTTP access still works fine, which is counter to my understanding of Viewer Protocol Policy=Redirect HTTP to HTTPS.

Any ideas on what I am doing wrong here? A lot of the tutorials suggest using end-to-end AWS service (e.g. DNS) to make the setup easier, but I have registered my domain with Google.

Note that this post is about HTTPS with VPN-only access, and this post suggest an all AWS approach. The second post is interesting since one user suggested entering an A record. For now, I only have a CNAME record for my subdomain. If I were to create an A record, to where would I point?

Update: I went into Google Domains and deleted the CNAME entry of sub pointing to the S3 bucket URL. I then added a new CNAME with sub pointing to the CloudFront URL. When I try HTTPS I can hit something, but I get an XML of AccessDenied.

<Error>
 <Code>AccessDenied</Code>
 <Message>Access Denied</Message>
 <RequestId>186A2418C76E7526</RequestId>
 <HostId>
  somelongstring
 </HostId>
</Error>
Jane Wayne
  • 8,205
  • 17
  • 75
  • 120

1 Answers1

0

I was able to get everything working by doing 2 additional things.

On Google Domains, I created a CNAME pointing sub to the CloudFront url.

On CloudFront, to avoid the AccessDenied message, I set Default Root Object to index.html. Apparently, the index document setting from S3 is decoupled from CloudFront.

Jane Wayne
  • 8,205
  • 17
  • 75
  • 120
  • 1
    The index document functionality requires you to use the web site hosting endpoint as the CloudFront Origin Domain Name. The error is different but the cause is the same as https://stackoverflow.com/a/34065543/1695906. – Michael - sqlbot Jan 18 '19 at 00:39