- I have an elastic beanstalk instance at jthinkws.elasticbeanstalk.com
- I have a jthinkws.com dns setup with Route 53
- I have direct.jthinkws.com pointing to CNAME jthinkws.elasticbeanstalk.com
- I then have Cloudfront distribution with Origin Domain Name set to direct.jthinkws.com and alternate cname set to search.jthinkws.com
- I have search.jthinkws.com record in Route 53 set to A, Alias point to the cloudfront distribution.
- My application then accesses via search.jthinkws.com so if it is a new request then Cloudfront will make a request from jthinkws.elasticbeanstalk.com and cache the result, if the request is already cached by Cloudfront then no need to go to jthinkws.elasticbeanstalk.com
This has worked very well for many years.
Recently I had to recreate my Cloudfront distribution. So firstly I temporarily point search.jthinkws.com to jthinkws.elasticbeanstalk.com domain then disable and delete old distribution and then create new Cloudfront distribution. But it is no longer working because it will not allow me to add search.jthinkws.com as an alternate cname because it has no security certificate
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements
So I went to AWS Certifcate Manager to get a certificate but it says if I use DNS Validation then AWS will create CNAME records that cannot be modified, I am concerned this will break my configuration. Whois doen't list any email addresses (although they are visible within the company that I pay for the domain name) so Im not confident that will work either.
Any help appreciated.