Comments for Set up SSL


From @hutualive on Thu Aug 03 2017 08:23:49 GMT+0000 (UTC)

two comments:
1.the certificate can be selected from the dropdown list of cloudfront, is only available to be created in us-east-1 region(N.Virginia), create from other region is not working.
2.for bare domain(,suggest for the viewer policy to use redirect http to https, which is less confusing and better for the security purpose. because when we hitting, will auto redirect to, but when we hitting, it will stay as is unless people specify, which is not normal case.

thanks for your great tutorial : )



From @jayair on Thu Aug 03 2017 17:24:45 GMT+0000 (UTC)

@hutualive good point on the certificate region issue. Added a note.

For the bare domain, we do ask people to redirect HTTP to HTTPS. It’s one of the steps in the chapter.



From @littleredshack on Tue Dec 12 2017 22:26:12 GMT+0000 (UTC)

There is a second step in AWS Certificate Manager to validate either via DNS or email:



From @jayair on Fri Dec 15 2017 17:00:49 GMT+0000 (UTC)

@littleredshack Did you do the CNAME record in place of the email validation?



From @littleredshack on Sat Dec 16 2017 02:55:19 GMT+0000 (UTC)

Yes. There was an option to allow AWS to update the DNS and I just clicked on that



From @jayair on Sun Dec 17 2017 22:50:47 GMT+0000 (UTC)

@littleredshack I see. Yeah we might cover that option in the future.



From @BIWhitfield on Tue Feb 20 2018 14:13:35 GMT+0000 (UTC)

Hi guys, great tutorial! One of my only issues was that when I set up the validation in this section by email, it sent validation emails to 5 common email addresses associated with the domain I bought from Route 53. However I can’t for the life of me work out how to access those emails to approve the validation. As far as I can tell the Route 53 domain doesn’t support email forwarding and I can’t find an inbox area to validate. I’ve ended up clearing out the validation by email and doing the DNS way. Just waiting on that to refresh (30 mins apparently) so I can finish the https part of that chapter.

Any ideas where those emails go just for my own reference?



From @jayair on Fri Feb 23 2018 21:43:58 GMT+0000 (UTC)

@BIWhitfield Honestly I’m not entirely sure. I think it goes to what Route53 thinks is associated with your domain?

We should change the tutorial to use the DNS way instead, it’s far more reliable.



My notes app is hosted in a different region (not US East, N.Virginia). I am using Certificate Manager for the first time. However, I don’t see the option to get started in the Certificate Manager home page.

Further, when I try to provision a certificate, I see 4 steps on the left versus the three listed in the tutorial. Further, in the validation screen, I am not able to expand the domains. I am not sure if I should go ahead and request the certificate. Has someone faced something similar? Thanks for any help.



I think Certificate Manager is for certain specific regions.

Can you post a screenshot for the options you are seeing in the console?



This is by far the best resource I found on deploying SPA to aws.

I have one question: Is there a way to prevent users using the static website hosting URL (I want to prevent it since it’s not https)?
If they enter via CF then using the ssl works fine, but what happens when they access the “bucket” directly?

1 Like


Hmm but aren’t the S3 bucket URLs https by default? Or are you saying what would happen if they access it via http?



they aren’t HTTPs.
based on the picture you uploaded look at the address:



Yeah I’m not entirely sure how you would hide it, aside from obscuring it.



Nothing works… :frowning:

I buy the domain and I did all the steps of this tutorial but my domain doesn’t work… I get the error: cannot find the ip address for

The CloudFront works with the URL

The bucket works with the URL

Other screenshots of my configuration here:



One of the issues with the domain configuration is that if you make a mistake it takes a while for the fix to take effect. Are you still having this issue?

Edit: I see the link doesn’t work. From the screenshots it looks like it is configured properly. But when I $ping it doesn’t work. It seems like the domain is not pointing to anything?



Hello @jayair . The problem is still there… :frowning:



Yeah it looks like it. Can you try pointing the domain to something else? It seems like it just isn’t pointing to anything. Everything else in your setup seems fine.




I recently went through this step again - I did the first time in ~Feb. Since then, I noticed a change. It appears that you have to create the certificate in ACM before you can give a CloudFront distribution an alternate CNAME. If you try to create the CNAME first, CloudFront fails with:

I swapped the order of the steps - I created the cert first and then the CNAME, and everything works fine.

I was able to follow the steps in this chapter exactly in ~Feb, so I think this is a relatively recent change on amazon’s side.

1 Like


I see. Thanks for letting us know. I’ll take a look at this when we update this chapter.