Delicious Brains

Documentation

Configure a Custom Domain for CloudFront with HTTPS

cloudfront-https-custom-domain

As Ian alluded to a few weeks back, we’re big fans of Let’s Encrypt and rightly so! It’s one of the biggest things to happen in web security for a long time and will hopefully encourage the majority of sites to switch to HTTPS. A world where all connections are encrypted between a user’s browser and web server seemed like a pipe dream just a few years ago, but that’s no longer the case.

Let’s Encrypt isn’t the only new Certificate Authority on the block. A few months ago Amazon also gained the same status. No surprises there! However, until the release of the AWS Certificate Manager there wasn’t a means to obtain certificates through Amazon. Similar to Let’s Encrypt, the AWS Certificate Manager greatly simplifies the process of generating SSL certificates for your CloudFront Distributions and Elastic Load Balancers. They’re also completely free and automatic renewals are taken care of out of the box.

Prior to the release of the AWS Certificate Manager, configuring CloudFront to use a custom domain over HTTPS was no easy feat. You had two options:

  1. Configure SNI, which is overly complex and time consuming. It’s worth noting that some older browsers, namely IE 6 and 7 do not support SNI, so the user will receive certificate errors. That said, if you’re at all concerned with security you probably shouldn’t support those browsers at all, as Microsoft officially dropped support for them so they will no longer receive security updates.
  2. Purchase a dedicated IP for your CloudFront distribution, costing you a small fortune ($600 per month). This approach does have the added benefit of supporting browsers that don’t support SNI.

If neither of those options were viable you could have used the default CloudFront domain (https://uniquesubdomain.cloudfront.net), however, this could have a negative effect on your page rank.

With the existing options explained, let’s see how easy it is to generate a certificate using the new ASW Certificate Manager.

Generate a Certificate

Before generating a certificate you need to prove ownership of the domain. Amazon only allows one method of verification at this time, which is it to email the registered owner and a handful of commonly used email addresses associated with the domain. This can be problematic if you’ve enabled WHOIS privacy and don’t have one of the predefined email addresses setup. If you’re lucky, your domain registrar will allow you to temporarily disable the WHOIS privacy so that Amazon can detect the registered owner. If not, you may have to setup a catch-all email address.

Log into the AWS console and visit the AWS Certificate Manager. Click ‘Get Started’ and you will be prompted to enter your first domain.

image1

Enter your domain and any subdomains you want the certificate to cover, or enter a wildcard as I have. Click ‘Review and request’ followed by ‘Confirm and request’. Shortly after you should receive an authorization email.

image2

Once you approve the request your certificate is ready to use.

image3

Adding the Certificate to CloudFront

Open the CloudFront console page and select your distribution.

image4

Click ‘Edit’ and add your custom domain to the ‘Alternate Domain Names’ option. Change the ‘SSL Certificate’ to ‘Custom SSL Certificate’ and select your previously created certificate from the dropdown list.

image5

That’s all there is to configure in the CloudFront console, but we need to update our DNS. Make a note of your unique CloudFront URL and log into your DNS control panel.

Add a new CNAME entry that points to your CloudFront domain. This entry should match that entered in the ‘Alternate Domain Names’ from within the CloudFront console.

image6

Add Your Custom Domain to WP Offload S3

Log into your WordPress dashboard and open the WP Offload S3 settings screen. Change the ‘Domain’ option to ‘CloudFront or custom domain’ and enter your new custom domain. If the site isn’t running over HTTPS you will also need to change the ‘SSL’ option to ‘Always SSL’. Hit ‘Save Changes’ and you will be prompted to perform a find and replace on your existing content. Click ‘Yes’ to update all existing URLs to point to the new custom domain. If you’re running the Assets Addon remember to also update the ‘Domain’ option on the Assets tab.

image7

Now if you load the front-end of your site and open the developer tools you should see that the URLs point to your custom domain.

image8

That’s all there is to it. It’s worth remembering that certificates generated using the AWS Certificate Manager use SNI, which as mentioned above isn’t supported by older browser versions. If you need to support them the only options are to purchase a dedicated IP or use the default CloudFront domain.

If you’ve ever had to generate a certificate and install it manually, you’ll know how awesome both Let’s Encrypt and the AWS Certificate Manager are. Providing your CDN supports either of these services, there really is no excuse to not use HTTPS to serve your assets – it’s a cinch to setup and costs absolutely nothing. Do you plan on making the switch? Let us know in the comments below.