36

does anyone know if its possible to serve with cloudfront over https with your own certificate while using your own CNAME? i can't even find a way to set up my own SSL cert over S3... so im not sure if this is even possible.

UPDATE: if someone is interested in an update about this issue - maxcdn.com offers to host your SSL cert on your domain for only $59 flat fee a month.

it's not amazon but it even supports pulling from your server and hosting forever or if you send a cache control header for whatever time you specify until it fetches the original url again.

the whole offer is pretty neat. :D

Steffen Opel
  • 61,065
  • 11
  • 183
  • 208
Toby
  • 2,491
  • 5
  • 26
  • 44
  • Please note my post below (http://stackoverflow.com/questions/5164569/cloudfront-serving-over-own-ssl-certificate/7102979#7102979) as AWS now supports SSL Certs via two different methods. One of them is available without any additional charge. – John Mark Mitchell Mar 17 '14 at 02:50

5 Answers5

28

I looked into this extensively, and no, currently it's not possible to use HTTPS with CNAMEs unless you're able to ignore cert name mismatches on the client side. HTTPS works with "simple" bucket names, but CNAMEs only work with bucket names that are fully-qualified domains.

AWS is always adding new features, so I can see them being able to serve up custom certificates at some point, but there's no support for that yet.

See: http://stackoverflow.com/questions/3048236/amazon-s3-https-ssl-is-it-possible

edit: Still not possible for direct access to S3, but it is possible through CloudFront: http://aws.amazon.com/cloudfront/custom-ssl-domains/

Tim Sylvester
  • 21,850
  • 2
  • 69
  • 92
  • Tim, I suggest you edit your post as this is definitely no longer true and because your post is ranked very high it might draw people to the wrong conclusion. – John Mark Mitchell Mar 17 '14 at 02:45
27

PLEASE NOTE THE EDITS & UPDATES BELOW I am resurrecting this because Amazon is running a survey (as of this writing) which asks customers on feedback for their produce roadmap.

See the post on this survey being available: https://forums.aws.amazon.com/thread.jspa?threadID=26488&tstart=30

and the direct survey link: http://aws.qualtrics.com/SE/?SID=SV_9yvAN5PK8abJIFK

EDIT: Noticed a post from June 11, 2012 that AWS had updated the survey link:

See the post on this survey being available: https://forums.aws.amazon.com/thread.jspa?messageID=363869

New Survey Link: http://aws.qualtrics.com/SE/?SID=SV_e4eM1cRblPaccFS

I think it is worth the time to provide them feedback about making CNAME + SSL a supported feature.

EDIT: Announced on June 11, 2013, custom SSL Certs with dedicated IPs are now supported with CloudFront on AWS:

See the feature announcement on the AWS Blog: http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html

One item of consideration before counting on going this route, you need to see significant value from deviating from the https://[distribution].cloudfront.net route as the pricing is $600 USD per month for hosting custom SSL certs.

EDIT: Announced on March 5, 2014, custom SSL Certs using Server Name Indication (SNI) are now supported with CloudFront on AWS -- NO ADDITIONAL CHARGE:

As wikichen noted below, AWS now supports custom SSL Certs via SNI. This is HUGE as it opens the possibility of leveraging AWS' existing infrastructure (IP addresses). As such, AWS does not charge extra for this service! To learn more, read about it on the AWS blog post: http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html

One item that should be noted though, Server Name Indication (SNI) does have some drawbacks that should be considered before relying on it completely. In particular it is not supported by some older browsers. If want to understand this better, see: Is SNI actually used and supported in browsers?

EDIT: AWS announced on January 21, 2016, they supply custom SSL Certs for FREE!

To read about the full announcement on the AWS site: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

Amazon has announced a new service called AWS Certificate Manager, offering free SSL/TLS certificates for AWS resources.

These certificates are usually purchased from third-party certificate providers like Symantec, Comodo and RapidSSL and can cost anywhere from $50 to hundreds of dollars, depending on the level of identity verification performed.

The process of obtaining a new certificate has always been a bit messy, requiring the generation of a Certificate Signing Request on the server being protected, sending that request to a certificate provider, and then installing the certificate once it is received. Since Amazon is managing the whole process, all of that goes away and certificates can be quickly issued and provisioned on AWS resources automatically.

There are a few limitations to the certificates. Amazon only provides domain validated certificates, a simple verification where domain validation takes place via email. If you want an Extended Validation certificate, you may stick with their current certificate providers. In addition, the certificates cannot be used for code signing or email encryption.

Community
  • 1
  • 1
John Mark Mitchell
  • 3,442
  • 3
  • 24
  • 27
  • survey completed. CNAME + SSL highlighted as my most important requested feature. Hope others can do this too. – William Denniss Oct 27 '11 at 14:48
  • 1
    Done the survey too. Good spot. – Matthew O'Riordan Feb 21 '12 at 15:19
  • I updated the URLs to the survey above. As I took the survey myself I noted that they added a feature ranking exercise. 1 of the 13 suggested features is "CNAME support over HTTPS (custom SSL certificates) - Ability to use custom CNAMEs for SSL traffic delivered over HTTPS." We are on the radar...NOW GET VOTING. – John Mark Mitchell Jul 12 '12 at 05:25
  • See the edit about where it was announced on June 11, 2013 that AWS CloudFront would start supporting custom SSL Certs. – John Mark Mitchell Jun 12 '13 at 06:24
8

Starting today, you can use your own SSL certificate with AWS CloudFront http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html

but

  1. AWS must approve your request
  2. You pay $600 per month (!) for each SSL certificate associated with one or more CloudFront distributions.
goldstein
  • 467
  • 5
  • 9
1

Just want to update this question with the latest AWS news. You can now use HTTPS with CNAMEs on CloudFront as it now supports custom SSL certificates using Server Name Indication (SNI).

http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html

Managed to set up a free Class 1 StartSSL cert for my CloudFront distributed static site on S3 without too much trouble (see: CloudFront error when serving over HTTPS using SNI).

Community
  • 1
  • 1
wikichen
  • 2,213
  • 3
  • 16
  • 28
1

It's now possible to use your own SSL certificate for Cloudfront with no additional costs. So the 600$/m charge is gone.

From AWS newsletter:

You can now use your own SSL certificates with Amazon CloudFront at no additional charge with Server Name Indication (SNI) Custom SSL. SNI is supported by most modern browsers, and provides an efficient way to deliver content over HTTPS using your own domain and SSL certificate. You can use this feature with no additional charge for certificate management; you simply pay normal Amazon CloudFront rates for data transfer and HTTPS requests.

schickling
  • 3,046
  • 4
  • 25
  • 30