Pointing a Subdomain to An External Service with SSL

Hello,

  • my netlify site name is: tender-johnson-b70f92.netlify.app
  • My custom domain is www.ab11y.com

I have an already-existing external content distribution that I would like to incorporate into my general Netlify website, ideally via a subdomain. (this will be used to provide access to dynamically generated files like PDF’s etc that are not part of my website build, so within your T&C’s I believe)

My CDN is at d254skkfwb47xj.cloudfront.net (via AWS)
and I have mapped this using a CNAME record in the netlify DNS to the subdomain files.ab11y.com.

So, for example https://files.ab11y.com/index.html should show the content at https://d254skkfwb47xj.cloudfront.net/index.html. But the files.ab11y.com request returns an SSL error:

$ curl -I https://files.ab11y.com/index.html
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I’m guessing the subdomain files.ab11y.com is not properly covered by the *.ab11y.com (wildcard) SSL certificate? Do I need t do anything extra to add a subdomain to my site’s SSL certificate?

N.B. I have a certificate installed on the CDN for the files.ab11y.com domain, I don’t think the issue is on that end, I’ve done this a few times with other hosts in the past and never had a problem.

If you absolutely want your CDN on a subdomain, then you will indeed need to add the missing domain on the certificate, and the only way to do that is to use a different certificate altogether and have it installed on their servers.

That said, from what I’m seeing, the current error occurs before the client even attempts to download the certificate. The issue is that the client and server can’t even agree on which cypher to use. In fact, it seems that no version of SSL or TLS is supported at all, according to CDN77’s TLS Checker service.

I can confirm that HTTPS works fine when using the domain provided by your CDN, and your CNAME record appears to be correctly configured as well. I suspect that CloudFront might change behavior depending on the requested host to accommodate multiple customers simultaneously. I’m not familiar with CloudFront, so I have no idea if custom domains are even supported by their service or not, but what I can say is that I get an HTTP 403 error when I try to access http://files.ab11y.com/index.html, which appears related.

As such, this does not appear to be a Netlify issue, but rather an issue on the CDN side.

Hope this helps!

You were correct, there was a missing configuration on the CloudFront distribution. I got it to work by adding files.ab11y.com to the “Alternate Domain Names (CNAMEs)” setting in the AWS Console. Thank you.

1 Like