179

I saw a few other questions regarding this without any real answers or information (or so it appeared).

I have an image here:
http://furniture.retailcatalog.us/products/2061/6262u9665.jpg

Which is redirecting to:
http://furniture.retailcatalog.us.s3.amazonaws.com/products/2061/6262u9665.jpg

I need it to be (https):
https://furniture.retailcatalog.us/products/2061/6262u9665.jpg

So I installed a wildcard ssl on retailcatalog.us (we have other subdomains), but it wasn't working. I went to check
https://furniture.retailcatalog.us.s3.amazonaws.com/products/2061/6262u9665.jpg

And it wasn't working, which means on the Amazon S3 website itself the https wasn't working.

How do I make this work?

Pat Myron
  • 3,231
  • 2
  • 18
  • 34
Kerry Jones
  • 21,388
  • 11
  • 58
  • 87
  • Your question doesn't explain exactly what you want to do. Do you want to make http requests redirect to https? If so, you should reword the title of the question to better state that fact. That will help more people to find this question and answer it. – A. Levy Jun 15 '10 at 19:38
  • No, I want to access the image securely. Is this possible? – Kerry Jones Jun 15 '10 at 20:19
  • That last [URL](https://furniture.retailcatalog.us.s3.amazonaws.com/products/2061/6262u9665.jpg) works for me, although it comes with a certificate error which is likely a problem for you – Michael Haren Jun 15 '10 at 20:21
  • Yes, that is a problem. For me in stops me from seeing it in the first place and I have to verify the cert manually to see it. – Kerry Jones Jun 15 '10 at 20:53
  • 1
    only a few years late to the game, but ssl cnames work with cloudfront. example cdn.example.com points to randomstring.cloudfront.net which points to your s3 bucket. https:// cdn.example.com will serve content with no error, but you get a cert warning if trying to browse the url directly. – Neil McGuigan Nov 16 '12 at 06:26
  • Cloudfront doesn't solve it either. It has the same [restrictions on combining CNAMEs and HTTPS](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS) that S3 does. – chris_radcliff Jan 09 '13 at 01:13
  • You can't use this URL with HTTPS, since it's a private URL, without IT tricks like CNAME. If you need to expose this file to the public, using a secure connection, you should use a public URL which is: https://s3.amazonaws.com// I recommend to always use this URL pattern, since it can be used for both HTTP or HTTPS. – Oran Mar 05 '14 at 09:39

4 Answers4

184

This is a response I got from their Premium Services

Hello,

This is actually a issue with the way SSL validates names containing a period, '.', > character. We've documented this behavior here:

http://docs.amazonwebservices.com/AmazonS3/latest/dev/BucketRestrictions.html

The only straight-forward fix for this is to use a bucket name that does not contain that character. You might instead use a bucket named 'furniture-retailcatalog-us'. This would allow you use HTTPS with

https://furniture-retailcatalog-us.s3.amazonaws.com/

You could, of course, put a CNAME DNS record to make that more friendly. For example,

images-furniture.retailcatalog.us IN CNAME furniture-retailcatalog-us.s3.amazonaws.com.

Hope that helps. Let us know if you have any other questions.

Amazon Web Services

Unfortunately your "friendly" CNAME will cause host name mismatch when validating the certificate, therefore you cannot really use it for a secure connection. A big missing feature of S3 is accepting custom certificates for your domains.

UPDATE 10/2/2012

From @mpoisot:

The link Amazon provided no longer says anything about https. I poked around in the S3 docs and finally found a small note about it on the Virtual Hosting page: http://docs.amazonwebservices.com/AmazonS3/latest/dev/VirtualHosting.html

UPDATE 6/17/2013

From @Joseph Lust:

Just got it! Check it out and sign up for an invite: http://aws.amazon.com/cloudfront/custom-ssl-domains

Community
  • 1
  • 1
Kerry Jones
  • 21,388
  • 11
  • 58
  • 87
  • i assume last paragraph is also the part of the official response. thx for sharing, i came to stackoverflow just to ask the same question. – Devrim May 02 '11 at 00:25
  • The last paragraph is not part of the official response, glad I could help! – Kerry Jones Sep 04 '12 at 19:06
  • 1
    The link Amazon provided no longer says anything about https. I poked around in the S3 docs and finally found a small note about it on the Virtual Hosting page: http://docs.amazonwebservices.com/AmazonS3/latest/dev/VirtualHosting.html – mpoisot Oct 02 '12 at 21:49
  • Here's the relevant bit from @mpoisot link: "Specifying the bucket for the request using the HTTP Host header is supported for non-SSL requests and when using the REST API. You cannot specify the bucket in SOAP by using a different endpoint." Alas! – jedierikb Mar 08 '13 at 16:40
  • 1
    Just got it! Check it out and sign up for an invite: http://aws.amazon.com/cloudfront/custom-ssl-domains/ – Joseph Lust Jun 12 '13 at 13:26
  • $600! so this answer summarized is that there is no way to do this with only s3 – Travis Webb Aug 02 '13 at 06:28
  • 4
    Note that it's $600 PER MONTH. :-o – loneboat Oct 14 '13 at 14:53
  • 8
    It's now possible to use your own SSL certificate for Cloudfront with **no additional costs**. So the 600$/m charge is gone. – schickling Apr 01 '14 at 09:19
  • 4
    @schickling It's also worth noting that CloudFront made this change by allowing you to choose between **SNI** or **Dedicated IP** SSL. Dedicated IP SSL continues to cost $600, but SNI SSL is free. Just make sure the browsers you're targeting support SNI. – Ryan Pendleton Jun 21 '15 at 21:57
  • See related question here: http://stackoverflow.com/questions/32714351/amazon-s3-using-dns-alias-to-bucket-https-at-the-same-time – Sebastien Lorber Sep 22 '15 at 10:41
  • The "final piece" of this puzzle will be to allow Cloud Front to be a Route 53 private hosted zone endpoint. If that existed, I could finally do VPN staging / public production end to end testing – lol Jun 18 '17 at 07:02
111

I know its a year after the fact, but using this solves it: https://s3.amazonaws.com/furniture.retailcatalog.us/products/2061/6262u9665.jpg

I saw this on another site (http://joonhachu.blogspot.com/2010/09/helpful-tip-for-amazon-s3-urls-for-ssl.html).

reach4thelasers
  • 23,986
  • 21
  • 87
  • 119
payton109
  • 1,119
  • 1
  • 7
  • 2
  • 1
    This is a great tip. And taking the protocol away, works well for POSTs too! – joet3ch Dec 02 '11 at 15:06
  • 18
    doesn't really seems to solve it . It still uses the amazon domain name (s3.amazonaws.com ) so it sucks ! – themihai Mar 16 '12 at 12:19
  • 14
    This doesn't suck. Yes, the domain is different, but it allows you to serve content over SSL on an *existing* bucket on S3. Without this scheme, you have to create a bucket just for your SSL-served files (because the S3 wildcard SSL certificate won't match files.yourdomain.com.s3.amazonaws.com): secure-yourdomain.s3.amazonaws.com. Now you have two buckets to manage instead of one. Not a big deal, but in web apps, any more complexity than what's absolutely needed sucks. – andrew Apr 16 '12 at 22:25
  • 7
    Hi, I'm actually the guy who wrote the referencing link you put there "Joonha". The little gem to not miss is using that technique + "//" alone as your protocol beginning. On my ecommerce development business, we do linking to URLs with "//" instead of "https:// or "http://" because we never have to care at that point. – King Friday May 05 '12 at 16:36
  • 4
    It seems this doesn't work anymore , I got a PermanentRedirect error. – Paulo Casaretto Jun 18 '12 at 22:56
  • 2
    @Paulo -- it still works, we use it all the time. – Kerry Jones Sep 04 '12 at 19:06
  • 5
    See my new answer regarding why this works for some people and not others. It matters what region your buckets are in. – Nate Dec 27 '12 at 20:41
  • 1
    Just to clarify the link follows this format: `//s3-region.amazonaws.com/bucketname/` so if you have your bucket in Ireland it would write like `//s3-eu-west-1.amazonaws.com/www.example.com/` – Immutable Brick Apr 27 '16 at 13:51
  • Your answer may cost several money to people. If you put cloudflare or another cdn in front of it, it will save you money because of caching. – Marcelo Agimóvel Feb 10 '19 at 08:29
47

payton109’s answer is correct if you’re in the default US-EAST-1 region. If your bucket is in a different region, use a slightly different URL:

https://s3-<region>.amazonaws.com/your.domain.com/some/asset

Where <region> is the bucket location name. For example, if your bucket is in the us-west-2 (Oregon) region, you can do this:

https://s3-us-west-2.amazonaws.com/your.domain.com/some/asset
Nate
  • 17,813
  • 6
  • 43
  • 52
  • 1
    When using a CNAME DNS record it's only about the domain resolution, so you can't redirect to an url with a path. See also: http://stackoverflow.com/questions/32714351/amazon-s3-using-dns-alias-to-bucket-https-at-the-same-time – Sebastien Lorber Sep 22 '15 at 10:39
  • 2
    This is good, but it bypassing static website hosting rules, such as redirect rules to index.html – Kim T Dec 14 '17 at 03:51
  • This is the perfect solution for web developers without a devops or sys-admin team. Sure, your assets won't have an elegant domain, but how many customers inspect the html or underlying requests and tsk tsk tsk at the domain url? Not many! Getting your static assets out of you application and onto S3 is a great first step in the first place. – stwr667 Oct 13 '19 at 05:58
8

As previously stated, it's not directly possible, but you can set up Apache or nginx + SSL on a EC2 instance, CNAME your desired domain to that, and reverse-proxy to the (non-custom domain) S3 URLs.

Mark Wang
  • 667
  • 6
  • 10
  • One way of finding the fully qualified SSL path to an S3 resource is to drill down to it using AWS console. The full path is displayed at the bottom of the Overview tab. – eric gilbertson May 08 '18 at 00:33