2

I have bought a domain example.com and am hosting it on AWS Elastic Beanstalk. To support HTTPS, I issued wildcard certificate from AWS certificate manager for *.example.com and assigned it to EB instance and ELB both. Since I bought the domain at Godaddy, I also added CNAME wildcard (*) DNS entry at Godaddy DNS and gave ELB AWS name in target value.

Doing so works for subdomains just fine and I can hit https anystring.example.com and go to index page of my EB environment. But the problem is that I cannot use https example.com (without subdomain) to go to the environment. It does not find the domain entry. And I do understand why, but not sure what to do to resolve it.

I tried adding a new CNAME entry:
Name: @
Value: ELB AWS Value
But Godaddy gave me error that the record is already present. I searched and found on SO that as long as some @ entry exists, I can't add another one.

I searched around more and did couple of more things to make progress: 1. I added a CNAME www entry and assigned ELB AWS name in target so now I can hit https www.example.com and go to env. index page. 2. I added a domain forward (forward @ to https www.example.com) so putting just example.com in URL works and forwards to https www.example.com

But I'm still not able to go to the index page using https example.com

Any advice?

Rahul
  • 121
  • 1
  • 1
  • 3

2 Answers2

3

You can't use a CNAME at the root domain (example.com), only for a subdomain. This is due to DNS standards / design. Read this question / answer.

The solution is to move your DNS to AWS Route 53. The cost is relatively trivial and it's a much better way to reference an ELB from DNS. Route53 gives you alias records which let you point your root domain (ie without the www) at the ELB.

Set up route 53 for your domain, then point GoDaddy at the name servers Route53 gives you. There are instructions here.

A couple of resources for you. - Using ELB with EB - http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html

Community
  • 1
Tim
  • 30,383
  • 6
  • 47
  • 77
0

"example.com" and ".example.com" are completely different names in terms of SSL validation due to how the domain syntax validation works and the importance of dots in it. If you acquire a wildcard certificate (.example.com) it is only valid for requests that contain, a single (and only a single) subdomain prior to "example.com"; it will not be valid for the apex domain. The same applies for nested subdomains, for example a.b.example.com won't fit *.example.com.

To achieve your goal you should buy a certificate containing both the apex domain and the wildcard name in the CommonName field.

ma.tome
  • 1,169
  • 8
  • 15