0
votes

I am using AWS EC2 to host my WP site having cyberpanel (Litespeed Ent and LScache plugin). Using free Let's SSL certificate (certbot).

I tried to active AWS cloudfront CDN on my site but getting following error

  • SSL_ERROR_NO_CYPHER_OVERLAP in firefox
  • ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome

Below is screenshot of my various setting

Origin Setting enter image description here

I am using Public DNS as my origin domain

Distribution Settings enter image description here

Generated the SSL in AWS certificate and applied here. Added cdn.domain.tld as alternate domain name and added it as cname pointing to distribution in route53

Default Cache Behavior Setting enter image description here

I am not sure what I am doing wrong here?

Note: I have TLS v1.3 enabled in my Litespeed

1
Your configured alternate domain name looks like cdn... ... but is that the domain name you're typing into the browser when you get this error?Michael - sqlbot
@Michael-sqlbot I have added it as CNAME ALIAS to the cloudfront distribution url in Route53. The error start coming on my site as soon as I update my A records to cloudfront distribution url. Also, when I visit my cloudfront distribution url in browser it throws 504 errorsanjay ojha
I'm not sure whether you answered the question that I asked. If your site is example.com and you point that name to CloudFront in Route 53, but in CloudFront you have only cdn.example.com configured as Alternate Domain Name, the SSL error is expected because your browser connects to CloudFront and tries to negotiate SSL for a hostname that you didn't configure in the Alternate Domain Name settings... so CloudFront eaaentially "pretends" to be unable to negotiate SSL (resulting in that error) since it sees the traffic as invalid/nonsensical.Michael - sqlbot
Here what I have done in Route53. first I created CNAME Alias for cdn.example.com and pointed it to dxxxxxxxxxx.cloudfront.net. Then I edited the A record for example.com and made it Alias pointing to dxxxxxxxxxx.cloudfront.net (Removed the IP address of EC2 instance). My example.com domain have Let's SSL certificate generated from cerbot on EC2. While I also generated SSL in AWS certificate Manager and added it to Cloudfront (as shown in image above). I am missing something?sanjay ojha
Have you tried analyzing the certificates using something like this: ssllabs.com/ssltest/analyze.htmlJ_Everhart383

1 Answers

0
votes

Ok, I found the Solution. I was doing some mistakes.

I have SSL certificate for mydomain and its www version only. No wildcard SSL. And I was adding cdn.mydomain.tld as Alternate domain names which have no valid SSL.

So I changed Alternate domain names to mydomain.tld and www.mydomain.tld and it started working.

Also, the SSL certificate that I generated in ACM was wrong, I added *.mydomain.tld as domain name, But I had to add mydomain.tld also, which I did and it solved the problem

Hope this help someone and he/she does not make silly mistake like me

Thanks @Michael-sqlbot and Jeff from jeffreyeverhart.com for pointing me in right direction.