reactjsamazon-s3amazon-cloudfrontamazon-route53aws-acm

CloudFront intermittently serves wrong SSL certificate (ERR_CERT_COMMON_NAME_INVALID) for subdomain behind Route53 and custom cert


I have remoteEntry.js file in AWS S3 bucket. I have cloudfront setup with a custom SSL cert which loads this remoteEntry.js with below url:

https://modules.uat.mysite.com/available-modules/remoteEntry.js for instance.

Below is Route53 record:

Record name: modules.uat.mysite.com
Value: d1rs95wmy2p000.cloudfront.net.
Alias: Yes
Record type: A

The issue is that sometimes it works correctly and sometimes randomly it fails with SSL error which says ERR_CNAME_ERR modules.uat.mysite.com. And when i see in chrome browser, the certificate starts pointing to *.mysite.com certificate which is basically something my loadbalancer was pointing to. It should not be the case with cloudfront. Not sure why randomly it tries to load *.mysite.com cert and not always loading the one that cloudfront has. This gets resolved automatically randomly after few minutes..

Suspect fallback to wildcard CNAME due to DNS resolution failure or propagation lag.

Could a wildcard *.mysite.com CNAME interfere with subdomain resolution even when a more specific modules.uat.mysite.com record exists?

Expected behaviour: Ensure modules.uat.mysite.com always resolves to CloudFront with the correct cert, regardless of client DNS state or network change.

Here’s a sample failing request chain: https://apps.uat.mysite.com/dashboardshttps://apps.uat.mysite.com/main.jshttps://modules.uat.mysite.com/available-modules/remoteEntry.js?t=...


Solution

  • Found DNS Name Server mismatch in DNS Made Easy when comparing to UAT R53 Hosted Zone

    Confirmed that appropriate name servers are being called and issue appears to be resolved