Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add #102

Closed
kaihendry opened this issue Aug 14, 2019 · 10 comments · Fixed by #118
Closed

The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add #102

kaihendry opened this issue Aug 14, 2019 · 10 comments · Fixed by #118
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@kaihendry
Copy link

🐛 Bug Report

What is the problem?

Ran into a bunch of issues running https://github.com/aws-samples/aws-cdk-examples/tree/master/typescript/static-site/

Last one being

The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add

Reproduction Steps

cdk deploy -c domain=webconverger.com -c subdomain=talks

Verbose Log

https://s.natalian.org/2019-08-14/cdk.txt

I already have a *.webconverger.com certificate issued arn:aws:acm:us-east-1:407461997746:certificate/5efcc663-6e6c-43b3-bab0-49ad36b27152 so I am a little puzzled why it is:

  1. creating a webconverger.com one instead of a talks.webconverger.com one
  2. not simply using the existing wildcard certificate

Environment

Archlinux user

[hendry@t480s static-site]$ git describe --always
e8d9b04
[hendry@t480s static-site]$ cdk --version
1.3.0 (build bba9914)
@kaihendry kaihendry added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 14, 2019
@kaihendry
Copy link
Author

Just tried with cdk 1.4.0 (build 175471f), same issue.

@brad-jones
Copy link

brad-jones commented Aug 20, 2019
edited
Loading

We are running into the issue too, we had a bunch of stacks deployed with multiple aliases, some of which were not covered by the cert, which we were fine with as these additional names were only used internally.

We then went to push some new stacks using the same pattern and they failed.

Possibly related to https://aws.amazon.com/about-aws/whats-new/2019/04/amazon-cloudfront-enhances-the-security-for-adding-alternate-domain-names-to-a-distribution/

@rhboyd
Copy link
Contributor

rhboyd commented Sep 2, 2019
edited
Loading

There's a few problems with the Typescript static-site example because of breaking changes since the example was created.

1.) It will attempt to create a new ACM Cert instead of loading an existing one.
these lines should be replaced with something like

const certificateArn = acm.Certificate.fromCertificateArn(this, "mycertArn", scope.node.tryGetContext("acmcertArn").certificateArn;

and the Cert will be passed in as a context variable. You could also have ssm resolve it if you don't want to include the cert arn in you context

2.) The current Route53 behavior is wrong. It will create a new HostedZone instead of using the existing one. these lines will create a new Hosted Zone, but you want to re-use an existing one (because you needed to have one in order to get the ACM Cert) so you need to pass in the HostedZone Name and HostedZone Id

      const zone = route53.HostedZone.fromHostedZoneAttributes(this, "myHostedZone", {
          zoneName: "Richard.Com",
          hostedZoneId: "a123456"
      })

@clareliguori clareliguori mentioned this issue Sep 10, 2019
Merged
@kaihendry
Copy link
Author

What happens if you don't want a subdomain?

@rhboyd
Copy link
Contributor

rhboyd commented Nov 5, 2019

Purchase a TLD? jk. The example would probably need some modification to support that use-case.

@kaihendry kaihendry mentioned this issue Nov 5, 2019
Open
@kaihendry
Copy link
Author

Ok, I've opened up a feature request at #151 quickly. Thanks!

@davidsteed
Copy link

I have this issue too. I want to host a site and redirect www.site.com and site.com to the same site.
This does not appear to be possible
I have a better example of the static site example here.

https://github.com/davidsteed/awscdkstaticsite
Tried several ways of doing this none appear to work.
I was trying to use a redirect bucket. It was working, but now does not and I don't understand why. Then I tried to set a certificate that is valid for *.example.com and example.com and use that on a single distribution. This is possible using the console, but in cdk you do not appear to be able to add *.example.com and example.com to the same certificate

@rhboyd
Copy link
Contributor

rhboyd commented Feb 13, 2020 via email

@kaihendry
Copy link
Author

I'm using Terraform now: https://github.com/kaihendry/dabase.com/blob/master/terraform/s3.tf

Not sure why I didn't think of using Terraform before. It's saner than JS/TS and being locked into a single Cloud provider.

@davidsteed
Copy link

I have managed to work round the problem. See here:
https://github.com/davidsteed/awscdkstaticsite

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
4 participants
@kaihendry @brad-jones @davidsteed @rhboyd