serverless-sharp icon indicating copy to clipboard operation
serverless-sharp copied to clipboard

Published 20 hours ago verified publisher icon venveo

Possbile Issue: Failing to add CNAME to CloudFront distribution

Open dciphered opened this issue 4 years ago • 4 comments

Hi guys,

I've been experiencing an issue with the initial deployment procedure, namely the script failing when attempting to add a custom domain to the CloudFront distribution.

Firstly, because of the ACM region restrictions, I've created an new public certificate in the us-east-1 region that matches the custom domain that I plan to utilise for images (e.g. img.domain.com). However, I've specified the region within the settings yaml file as eu-west-2.

The CUSTOM_DOMAIN parameter has been set to reflect the cert name/SAN and the ACM_CERTIFICATE_ARN parameter has been set to reference the new certificate in the format of: arn:aws:acm:us-east-1:12345678:certificate/abc123-abc123-abc123-abc123-abc123 (sanitised)

In short, the process fails each and every time with the following error: An error occurred: CloudFrontDistribution - Resource handler returned message: "Invalid request provided: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: CloudFront, Status Code: 400, Request ID: ......

What am I missing?

Versions Operating System: MacOS 10.15.7 Serverless Sharp: 2.1.1

dciphered avatar May 16 '21 08:05 dciphered

I haven't used the custom domain functionality myself. Maybe @bs-thomas can provide some insight, since he authored the original feature?

Mosnar avatar May 16 '21 19:05 Mosnar

Thansk @Mosnar - would be great to get some clarity on this issue. As a temporary workaround, I removed those parameters from the settings file and after the env was spun up, I manually added the CNAME and custom SSL cert to the CF distribution. Only problem is, when redeploying via the IaaC method, it overwrites the above changes and reverts back to using the default CF SSL cert.

Definitely needs some further debugging...

dciphered avatar May 18 '21 01:05 dciphered

Confirmed, this still doesn't work (not even if you attempt to deploy it on us-east-1).

Wintereise avatar Jan 23 '22 10:01 Wintereise

The logic seems to have broke after another contributor has added the ACM_CERTIFICATE_ARN feature in, to allow direct specification of a certificate by ARN.

I have re-programmed the logic as follows:

  • Check if there is ACM_CERTIFICATE_ARN provided. If so, use it to bind to CloudFront.
  • Otherwise, check if there is a CUSTOM_DOMAIN provided. If so, create a new certificate, and use it to bind to CloudFront.
  • Otherwise, assume there is no domain nor certificate binding. Just use the good ole CloudFront domain.

Sending in a pull request in just a bit.

bs-thomas avatar Jun 29 '22 08:06 bs-thomas