Hi, I want to enable SSL mode to Full (strict) where the origin is service in AWS. Based on docs There are three things that origin certificate must support:
Unexpired, meaning the certificate notBeforeDate < now() < notAfterDate.
Default aws certificate renews itself by default
AWS is listed as trusted certificate authority
Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.
I am not sure about this last requirement, following diagram presents the request path from user to the target service:
Docs says that origin certificate (in this case the one located in AWS Load Balancer) should matche the requested or target hostname. What is requested and target hostname?
My understanding is as follows:
- requested hostname - one in Host header - this will not match as my-site.com does not match *.aws.com
- target hostname - one from CNAME proxy target, which in this case is my-site.aws.com and this should match *.aws.com
What in overall means that cert located in AWS Load Balancer should be considered as valid. Please let me know if what I wrote is correct or this will work a bit differently