Uploading SSL Certificate to IAM for Cloudfront
There's tons of Cloudfront questions out there, however the Googling for possible problems still amazes me. Here's mine...
What I'm currently attempting right now is to upload an SSL cert to IAM so I can use a custom domain name for Cloudfront (e.g. https://assets.mydomain.com). This, however, isn't going so well. The certs were purchased from DNSimple. The AWS cli upload is as so:
aws iam upload-server-certificate \
--server-certificate-name MyDomainProduction \
--path /cloudfront/ \
--certificate-body file://~/Downloads/STAR_mydomain_com/STAR_mydomain_com.crt \
--private-key file://~/Downloads/STAR_mydomain_com.key \
--certificate-chain file://~/Downloads/STAR_mydomain_com.pem
The error:
A client error (MalformedCertificate) occurred when calling the
UploadServerCertificate operation: Unable to validate certificate
chain. The certificate chain must start with the immediate signing
certificate, followed by any intermediaries in order. The index within
the chain of the invalid certificate is: 1
I think I've tried 500 different possibilities and I'm out of ideas as to why I can't get things to work. Here's what I got in my toolbox for what DNSimple and Comodo handed back to me:
STAR_mydomain_com.pemSTAR_mydomain_com.keySTAR_mydomain_com/AddTrustExternalCARoot.crtSTAR_mydomain_com/COMODORSADomainValidationSecureServerCA.crtSTAR_mydomain_com/COMODORSAAddTrustCA.crtSTAR_mydomain_com/STAR_mydomain_com.crt
What's the right combination of crts, pem, and key to get SSL working on Cloudfront?
You're almost done. The error is that you are using the wrong intermediate certificate file. You should use the bundle that only includes the chain, without the primary certificate.
In other words, from the DNSimple installation wizard, select Other and download the files (1), (2) and (4). You downloaded (3) instead of (4).
The main difference is that (3) is (4) + (1). But as you are already passing (1) explicitly using the --certificate-body param, Cloudfront only wants the chain without the primary.
- ftplib storbinary with FTPS is hanging/never completing
- curl: (60) SSL certificate problem: when uploading behind proxy
- Multiple domains and multiple certificates pointing to one MVC app
- Get "https://zzzztower.zzzz.com/api/v2/hosts/": x509: certificate relies on legacy Common Name field, use SANs instead
- SSL error downloading NLTK data
- traefik acme http challenge yields "No default certificate, fallback to the internal generated certificate"
- ASP.NET Core Development Certificates - error exporting the HTTPS developer certificate
- kex_exchange_identification: Connection closed by remote host
- Is there a way to securely transmit data (a TLS version) in 32 byte packets?
- How to install a cipher suite on Windows Server 2012
- Trying to set Http to Https Redirect on Nginx
- Make OpenSSL accept expired certificates
- Error when using selfhosted (Jetty) Metabase with ssl inside docker container
- Importing SSL Certificate into Eclipse
- Implementing Swish payment C# - Only on Azure - Sending client certificate - The request was aborted: Could not create SSL/TLS secure channel
- gitea using a normal user and https
- Node TLS Error: ca md too weak, when making request with Axios
- FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied
- TLS init_handler not getting set for Websocket++
- How to connect to MongoDB with certificate using DataGrip?
- Using ssl certificate with feign
- Install Let's Encrypt for multiple domains on same server
- Is TLS over TLS possible?
- Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
- curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
- "Unknown Publisher" on non-domain machine using AD-created code signing certificate
- Java does not trusting any SSL Certificate on Windows
- "certificate verify failed" error when installing Ruby gems on Windows
- nginx reverse proxy working with ws but not with wss
- psql: server does not support SSL, but SSL was required