We will use an ACM SSL certificate to enable HTTPS. For creating a certificate, you can refer Creating SSL/TLS certificate with ACM recipe in Chapter 9, Serverless Programming Practices and Patterns.
- Obtain the ACM SSL certificate ARN to use with the domain (www.qnatime.net).
- Create or update the CloudFront distribution with a config JSON file, similar to the one that was created in the Using custom domain names with CloudFront, recipe with the ViewerCertificate property, defined as follows:
"ViewerCertificate": {
"ACMCertificateArn": "arn:aws:acm:us-east-1:<account_id>:certificate/42b3ba99-66e9-4e71-8c1c-4239c1e81c84",
"SSLSupportMethod": "sni-only",
"MinimumProtocolVersion": "TLSv1.1_2016",
"Certificate": "arn:aws:acm:us-east-1:<account_id>:certificate/42b3ba99-66e9-4e71-8c1c-4239c1e81c84",
"CertificateSource": "acm"
},
The complete JSON file is also present in the book's code repository folder for this recipe.
The SSL support method of sni-only indicates that CloudFront only serves our content over HTTPS to clients that support Server Name Identification (SNI).
- If you are creating a new distribution, create-change-resource-record-sets and add alias records in the domain's HostedZone (qnatime.net.), pointing to the new CloudFront distribution domain.
- Once the certificate is successfully applied to the CloudFront distribution, try to visit the domain name for our website with https, as follows:
We can no longer see the Not Secure error message. If we click on the lock button and then click on certificate in the popup, we will see the certificate details:
Note that we used a certificate generated with the WWW sub-domain; hence, even the naked domain request gets redirected to the one with a prefix.