Solving Problems with DNS Domain Ownership Verification when Hosting a Static Website using AWS CloudFront

While searching for an efficient way to host a blog, I stumbled across this tutorial to host a static website using AWS: medium article. The website is stored in an S3 bucket, and then CloudFront is used for delivery and TLS encryption. While following the article, I had some issues with the domain ownership validation required for the certificate creation. Here, I lay out the steps I undertook to get a working setup.

Domain Registration / Hosted Zone Creation

  • I registered a (.de) domain using Amazons Route-53. In the end, the domain ended up being registered by Gandi.net
  • After creating the Hosted Zone, I wanted to generate the TLS certificate in the Certificate Manager (in region US East/N. Virginia)
  • However, the DNS verification method to prove domain ownership wouldn’t work for me. It would just state “pending verification” for more than two days (which felt incorrect)
The final, correct settings in the registered domain section

The final, correct settings in the registered domain section

Solution

  • As it turned out, I had to update the nameservers of the domain in Route 53 (Registered Domains > domain.xyz > Actions > Edit Nameservers) to the values of the nameservers that are visible in the hosted zone
  • All nameservers there must be changed from “a.gandidns.net”, “b.gandidns.net”, … to the nameservers visible in the hosted zone (in my case 4 AWS dns names)
  • After creating the DNS records in the Certificate Manager (> Certificates > Create records in Route 53) and waiting some time, the certificate was issued
  • Finally, I had to add an “Alternate domain name (CNAME)” in the CloudFront distributions settings to be able to create A & AAAA level records in Route53