Why isn't CloudFront serving my domain name over HTTPS?
Last updated: 2022-11-18
I associated an SSL certificate with my Amazon CloudFront distribution, but I can't access my domain name over HTTPS. Why?
To resolve problems with accessing your domain name over HTTPS, check the following:
- Your SSL certificate's domain name must be added as an alternate domain name (CNAME) in your CloudFront distribution's settings. For more information, see Using custom URLs for files by adding alternate domain names (CNAMEs).
- The domain name of the SSL certificate must be consistent with the domain name associated with the CloudFront distribution. For example, if you issue an SSL certificate for *.example.com, then the CloudFront distribution will support domain names such as abc.example.com or 123.example.com. However, an SSL certificate for *.example.com won't support domain names such as abc.123.example.com. To use abc.123.example.com as a domain name, you need an SSL certificate for either *.123.example.com or abc.123.example.com.
- If you're getting cipher or TLS version mismatch errors, verify that your client is using supported SSL or TLS protocols and ciphers. This allows communication between viewers and CloudFront.
- Verify that the status of your CloudFront distribution is Deployed. If the status is still InProgress, then you might not be able to access the domain name because data is still propagating across edge locations.
- If you recently updated your SSL certificate on AWS Certificate Manager, then verify that the certificate renewal status is Success. It might take several hours for the certificate renewal process to complete. For more information, see I renewed my Amazon-issued SSL certificate or reimported my certificate to ACM. Why does CloudFront still show the old certificate?
For more information on troubleshooting SSL errors, see SSL/TLS negotiation failure between CloudFront and a custom origin server.