Obtaining SSL from AWS - Stuck at Pending validation

I’m trying to set up a small website on Amazon Web Services. I have added the files so that it serves the pages correctly but this is only on http.
I’m now trying to add https to it, but I cannot seem to be able to pass AWS’s certificate validation.

I have gone through their Certificate Manager and obtained a NAME and VALUE pair for the bare domain and the www. variant. (quickbooksonlineexpert.co.uk and www.quickbooksonlineexpert.co.uk)

The AWS guide suggests that I remove the domain name from the NAME generated (which I’ve done) eg it was something like _kljshckjsof87w9.quickbooksonlineexpert.co.uk so I’ve only added a _kljshckjsof87w9 CNAME record for the NAME. I’ve copied the corresponding VALUE into the same CNAME record.

Their DNS validation for the cert can take up to a couple of days, but I’m sure there is something else wrong but not sure what to change. I’ve tried a couple of times with them, and waited a couple of days, but no joy. I would try their AWS support, but I’m on the Free Tier, so I’m trying to initially reach out to the Cloud Flare community in the hope that someone has also obtained a free SSL from AWS and can point me in the right direction.

I’d also tried once with removing the underscore from the start of the VALUE as their guide suggested this may be required in some circumstances, but this made no further difference.

many thanks - any info to help will be appreciated.

It might be easier if you simply created an Origin certificate on Cloudflare’s side and installed that on Amazon instead.

Otherwise you’d need to make sure the record Amazon required you to set up is actually in place. Right now there is no record for “_kljshckjsof87w9”.

1 Like

Thanks Sandro - I didn’t mean that “_kljshckjsof87w9” was the exact spelling for the CNAME name, I was just trying to show that I’d taken the bare domain name away from what Amazon gave me. (I wasn’t sure it was a good idea to put the exact CNAME name that Amazon gave - sorry if I’ve confused matters.)

If I perform a nslookup -cname for the name from AWS, I get the following:

primary name server = carmelo.ns.cloudflare.com
responsible mail addr = dns.cloudflare.com
serial = 2036334491
refresh = 10000 (2 hours 46 mins 40 secs)
retry = 2400 (40 mins)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)

If this doesn’t help, then your kind suggestion to use a Cloudflare SSL is much appreciated.
Many thanks for your help

1 Like

You need to provide the exact instructions you received from them. Post screenshots.

The search has everything on that. Search for Origin certificate. Those you can download from Cloudflare and install on your server.

I have now imported an SSL cert for *.quickbooksonlineexpert.co.uk and quickbooksonlineexpert.co.uk on the AWS Certificate Manager, but it now seems that I also need to deploy AWS CloudFront in order to get the https in place.
I was hoping to not add further complications, but this seems like I’ll need to research more - I was just after a free hosting and SSL for a small static website, but it looks like AWS Cloudfront is free for 12 months, so I may just need to look for another cheap hosted service anyway

I believe to have read something along these lines as well.

What it comes down to is that your site needs to load fine on HTTPS before you even add it to Cloudflare.

thanks but can you clarify that last bit please - as I’ve now got an SSL from Cloudflare, how can I check it works on HTTPS before I add it to Cloudflare?
I do appreciate your help - as you can probably tell, this isn’t my main job, I’m just trying to host a free SSL hosted website and it feels like I’m nearly there, but can’t get over the line!

I would pause Cloudflare for now so that everything resolves straight to your server and then you can check if SSL works. Pausing is done on the main Overview screen at the bottom right.

In the meantime, I’ve found a good article online (not sure if the forum rules prefer me to post the URL?) so I’ve now been able to make the necessary changes to get the website serving pages over HTTPS.

Thanks for your help with this

Great, as long as your server has a valid certificate you should be good.

thanks - does the cert look ok to you at https://www.quickbooksonlineexpert.co.uk ?

In order to tell that you’d need to share your Amazon IP address. for www.quick…

and for quickbooks…

I am afraid, unless you blocked port 443, neither server is configured for SSL. They are not even listening on 443. You’ll most likely have an insecure Cloudflare setup.

What’s your encryption mode?

the article said to use “Flexible”

should I send the article URL so you may see the steps taken?

That’s an issue and means your site is still insecure. That needs to be “Full strict”.

This really is the best advice for now

the site is paused, but not sure what I now need to check?

I’m further confused as before I paused it, the site gives the padlock and say that the cert is valid?

As I mentioned earlier, you need to make sure your Amazon server has a valid certificate and functions on HTTPS. Keep it paused until that is fixed and unpause it only once it loads fine on HTTPS.

The whole site does not load, not just an invalid certificate.