10
  • In the Cert Manager I have a valid certificate, which includes the *.example.com domain.
  • In CloudFront I have a distribution with HTTP to HTTPS redirect enabled and empty CNAME field.
  • When I edit the distribution and enter staging.example.com in the CNAME field and select the certificate I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 8406d8d5-65c3-11e9-afc0-65457a0a2bea)

Am I missing something? The other distribution for the top level domain is working fine with the same certificate.

Nikolay Dyankov
  • 6,491
  • 11
  • 58
  • 79
  • I faced an exact same issue once; I had simply made a mistake when generating the certificate and forgot to include the alternative/wildcard SAN. The error also indicates this; the certificate is a valid certificate, but it doesn't cover staging.example.com and thus fails. – hephalump Apr 23 '19 at 14:03
  • Add the certificate to the distribution, then save changes, then add the subdomain as alternate domain name, and then save changes again. Any difference? – Michael - sqlbot Apr 23 '19 at 14:12
  • As per the error message, the certificate that you have does not cover the alternative domain name. So, please make sure that you have a certificate with a wildcard to cover multiple subdomains. Cause standard certificate only covers www.example.com subdomain. – Aress Support Apr 23 '19 at 16:17
  • In my case, I could add www.example.com.. it worked. but when I tried to also add example.com as an Alternative Domain in the CloudFront distrubution then it triggers the error, the certificate is registered with the wildcard properly. – Filipiz Oct 25 '19 at 20:30
  • I have the ACM added for the wildcard domain *.abc.com and its not accepting the root domain abc.com but accepts www.abc.com weird – TaraGurung Feb 02 '23 at 16:05

4 Answers4

23

Make sure that you are only trying to get the *. to match a single subdomain. See wildcard ssl on sub-subdomain

That is to say that *.example.com will match sub1.example.com and sub2.example.com, but it will not match sub2.sub1.example.com. Finally, you CANNOT request a certificate for *.*.example.com. In order to match that last case you would have to request *.sub1.example.com.

Bruno Bronosky
  • 66,273
  • 12
  • 162
  • 149
  • Thanks for the answer, but I already have the correct wildcard thing in my certificate, see the first point in my question. Found the problem and answered my question below. – Nikolay Dyankov Apr 23 '19 at 17:57
12

Figured it out.

The certificate was generated on the wrong region. Certificates that will be used on a CloudFront distribution must be generated on us-east-1 (Virginia).

Nikolay Dyankov
  • 6,491
  • 11
  • 58
  • 79
0

In my case, I created an SSL in us-east-1 (North Virginia) but I was still facing the issue and when I checked that SSL in the ACM, it was only for subdomains I forgot to add a root domain while requesting the SSL.

So whenever you want to use an ACM make sure that the SSL certificate is for the domain and subdomains (if required).

Ali Hussnain - alichampion
  • 559
  • 1
  • 5
  • 17
0

If you are using serverless, try adding certificateArn as component inputs in the serverless.yml file

your-app:
  component: "@sls-next/serverless-component@latest"
  inputs:
    domain: ["app", "domain.com"] # [ sub-domain, domain ]
    certificateArn: "arn:aws:acm:us-east-1:<id>"

Reference : https://github.com/serverless-nextjs/serverless-next.js/issues/821

jfk
  • 4,335
  • 34
  • 27