Thanks for taking the time to read this help request.
I have a Lightsail instance with its own SSL certificate generated using the BNCert tool. This all works fine and https works correctly.
When following this guide by the AWS team to enable CloudFront distribution, issues start to happen: https://aws.amazon.com/blogs/compute/improving-website-performance-with-lightsail-content-delivery-network/
Following this guide to a tee creates the xxx.cloudfront.net distribution, which interacts with the Lightsail installation with a HTTP origin policy.
When switching the origin policy to HTTPS, a 502 error presents itself.
After troubleshooting, I've determined the following:
- The Lightsail installation works fine and the certificates generated by the BNCert tool cover www.domain.com and domain.com
- Using the Lightsail CloudFront distribution over HTTP as the origin policy also works because no HTTPS request is being made.
- When setting the origin policy to be HTTPS only on the Lightsail side results in the following error:
My understanding of the issue is that the certificate generated by Lightsail, which covers the xxx.cloudfront.net distribution, along with www.domain.com and domain.com is adequate for the distribution side. But, the certificate on the Lightsail side only covers www.domain.com and domain.com.
The result of this is it rejects xxx.cloudfront.net because it's not specified as a domain on the Lightsail end (where the SSL certificates were generated by BNCert tool).
So my question is – is it possible to allow the SSL certificate on the Lightsail side to include the xxx.cloudfront.net domain as a trusted recipient?