Cloudfront Alternate DNS Name Requirement


I am trying to configure Amazon Cloudfront with a Let’s Encrypt certificate. However I cannot get past the last requirement. Cloudfront needs a certificate with a wildcard ex ‘*’ and then the required URL needs to be in the Subject Alt Names ex ‘’. If I use the certificate service from Amazon, I have no problem creating this certificate, however the API endpoint from Let’s Encrypt is does not permit this due to certificate overlap.

I also tried generating a certificate from Let’s Encrypt that is directly pointing to ‘’, with the same name in the SAN field. However, then the browsers (in particular Firefox) complain with an SSL error SSL_ERROR_NO_CYPHER_OVERLAP.

This is the Ansible call to generate the certificate, challenge:

- name: Create challenge
    account_key_content: "{{ letsencrypt_acces_key }}"
    acme_directory: ""
    acme_version: 2
    challenge: dns-01
    csr: "{{ r_tmpcerts.path }}/request.csr"
    fullchain_dest: "{{ r_tmpcerts.path }}/fullchain.pem"
    terms_agreed: yes
  register: r_letencryptchallenge

This usually has nothing to do with your certificate, how is your webserver configured? (ie: what ciphers have you chosen?)


From amazon’s side I have chosen both TLSv1.1_2016 and TLSv1.2_2018.

A certificate issued by Amazon seems to have no issues working with either, and at glance the only difference between the 2 certs seems to be the SAN field.

You should enable TLS 1.3 as well. (and consider dropping 1.1)

I suspect this is some funny amazon load balancing quirk. Let’s wait for somebody more aws-knowledgeable.


The available options are limited. TLSv1, TLSv1_2016, TLSv1.1_2016,TLSv1,2_2018.

1 Like

Am I the only one trying to make this work?!? :frowning:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.