How to make this work with CNAMEd cdn?


#1

Hello. I used certbot to install this for my entirely nginx server, with phpfpm. We don’t have apache at all. This works for the domain example.com. However now we also need this to work for cdn.example.com, which is the cname for a cloudfront distribution. How do we make that work?

And will the https work also for Wordpress? Our entire nginx hosting is for Wordpress that powers our website.


#2

In this case our website is pennyhart.com. The main domains (.com and the www…com) need to be Lets Encrypt. But there’s also a cache.pennyhart.com, which is just a CNAME to Cloudfront.


#3

I’d suggest that you don’t use Let’s Encrypt for your CloudFront subdomain. Use Amazon’s AWS Certificate Manager to issue a certificate and attach it to your CloudFront distribution. Their certificates are free, valid for 13 months, created using traditional email validation, and should renew automagically.

https://aws.amazon.com/certificate-manager/
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html
https://console.aws.amazon.com/acm/home?region=us-east-1#/

You can use Amazon’s APIs to upload Let’s Encrypt certificates to ACM and use them with CloudFront, but it sounds like more of a hassle to me.

https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/APIReference/API_UpdateDistribution.html

Of course, it’s great to use Let’s Encrypt for your primary site. :smile: But i think it’s easier to integrate CloudFront with Amazon’s own CA.


#4

Thank you. Kind of where I landed up in my imagination. But just to check: it’s totally OK to have the main domain (domain.com and www.domain.com) to be powered by LE, but within the pages of the website have CDN urls based on cnames (cdn.domain.com) that are powered by AWS’ own certs?


#5

Yup! It’s fine. :smiley:


#6

Thank you so much.

Now I have the actual big issue. Nginx doesn’t seem to like LE generated certificates, or perhaps my conf file has wrong instructions? I’ve just lifted them from the web.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.