CDN and Domain Sharding breaks images

In case it may be useful to anybody, I think that I linked CDN url resource to CNAMES or CNAMES to the website too early. Means that while it’s in process and do changes through all links, including images, I should wait more. I made this conclusion because I created a new distribution and I was waiting until it changes the state from in progress to deployed. After that I created again cnames, new and pointed them to this distribution. So some of the images were shown. Anyway to see the effect of parallelize of content downloads across hostnames, I need to wait about 24 hrs. I delete all distributions and did that again and now going to wait for a day, letting it all be converted in a proper way. As it’s hard to clean the cache of CDN

• This reply was modified 6 years, 9 months ago by Bereshka.

I found solution. If your website has SSL certificate, then you need or to import your SSL certificate to Amazon Cloudfront and then to link it to your distribution, or if you have free SSL certificate, that my hosting didn’t wanted me to provide the body of it, so I couldn’t import, then just request certificate at the admipanel of Cloudfront, SSL Certificates, then it will ask you to verify it through DNS, creating additional CNAME. that’s it. Images are no longer broken.

@bereshka Thank you very much for sharing your solution here. I’m glad to hear you solved the problem. ??

@bereshka My site is broken because Comet Cache doesn’t download cloudfront images.

I have tried to follow your sugestion but I’m not sure whether I have done it right.

I have used

CloudFront Distributions -> My Distribution / Edit -> General ->

Button: “Request or Import a Certificate with ACM” button

Next.. next.. next… until it gave me a CNAME entry. I added it to my DNS and Amazon validated it.

Was it?

It still fails ??

Do I have done it right? I so… do you have any suggestion.

Thank you very much for your post.

Regards
Carlos

—

• This reply was modified 6 years, 6 months ago by cmelero.
• This reply was modified 6 years, 6 months ago by cmelero.

If I deactivate “CDN Supports HTTPS Connections?” in Comet Cache config, it works fine… so.. yes… it appears to be a HTTPS misconfiguration between my site and Amazon.

Hello, Carlos,
Let me hang here my conversation with Amazon TechSupport, I think it might be useful

Hello,

Thank you for contacting AWS Support. My name is Ritish and I’ll be assisting you today.

I understand that you are seeing an ‘err_cert_common_name’ error while accessing your images using the CNAME added to your CloudFront distribution. Please correct me if I am wrong.

I checked using my internal tools and was unable to found the CloudFront distribution with the domain name ‘d1hvnfrkakoqfp.cloudfront.net’. It seems like you have deleted the previous CloudFront distribution and created a new one with the domain name ‘d3gejou8t706cm.cloudfront.net’. I can see that you have added 3 CNAMEs on this distribution which are: c3.usrussiacc.org, c2.usrussiacc.org, c1.usrussiacc.org. Please confirm if this is the desired distribution.

I tried to access the image using the URL: ‘https://c1.usrussiacc.org/wp-content/uploads/2018/01/1347.jpg’ and was also getting the same error ‘ERR_CERT_COMMON_NAME_INVALID’.

The reason you are getting this error is that you are currently using default SSL Certificate on your CloudFront distribution which only allows ‘*.cloudfront.net’ domains to make a request to your distribution. This is the reason I was able to get the image using the CloudFront domain URL: ‘https://d3gejou8t706cm.cloudfront.net/wp-content/uploads/2018/01/1347.jpg’.

In order to resolve this issue, I request you to add custom SSL certificate to your CloudFront distribution and include all the domains in this certificate using which you will access your CloudFront distribution such as (c3.usrussiacc.org, c2.usrussiacc.org, c1.usrussiacc.org). You can also use a wildcard in your domain name at sub-level eg. *.usrussiacc.org in your certificate domains.

You can use AWS Certificate Manager service to create custom SSL certificate for your domain. Public SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.

Please follow the steps below to create a certificate and update your distribution to use this custom SSL certificate:

1. Request a Public Certificate: I request you to please refer this [1] document which contains detailed steps to request a public certificate using the console. However, please ensure that you are requesting the certificate in the N. Virginia (us-east-1) region using the AWS Console URL (https://console.aws.amazon.com/acm/home?region=us-east-1#/)

2. Once your certificate is validated and the status is changed to ‘Issued’, you can add that certificate to your distribution.

3. Select your CloudFront distribution.

4. On the ‘General’ tab, click on ‘Edit’.

5. Under SSL certificate option, select ‘Custom SSL Certificate (example.com):’

6. From the drop-down list select the certificate created in Step 1.

7. Click on ‘Yes, Edit’.

Once you successfully made the above changes and your configuration is deployed across all the CloudFront edge location and the ‘Distribution Status’ is changed to ‘Deployed’, you can access your images using the URL: ‘https://c1.usrussiacc.org/wp-content/uploads/2018/01/1347.jpg’.

However, if you still face the same issue, I request you to please share the HAR File. Please note that the HAR capture must be started before making any request. Please refer the following document for more details on generating HAR file: https://toolbox.googleapps.com/apps/har_analyzer/

================

References:

[1] Request a Public Certificate: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html#request-public-console

I hope the above information was helpful to you. Please feel free to get back to us if you face any issue with the information provided above or for any further queries. I would be more than happy to assist you.

Best regards,

Ritish G.
Amazon Web Services

Hello, Ritish,
Your answer is very helpful, I did all what you recommended below, as I use free certificate and my hosting provider refused to provide the certificate body, I just requested here another certificate, verified through DNS and everything is working. tools.pingdom.com still recommends me to parallelize downloads across hostnames, some were, but some not. But i guess or I should wait more time or investigate why it doesn’t parallelize all

Hello,

Thanks for your update.

I understand that you are now able to access your images via HTTPS and not getting the error. However, ‘tools.pingdom.com’ still recommends you to parallelize downloads across hostnames.

The Parallelize Downloads Across Hostnames warning is an optimization recommendation previously suggested by many popular speed test tools such as Pingdom, GTmetrix, PageSpeed Insights, and more. This warning is becoming less and less important as more website owners move to HTTP/2. HTTP/2 allows multiple resources to be loaded in parallel using only one connection. However, for those still using HTTP1.1 and loading multiple resources, it can be beneficial to implement what’s called domain sharding [1].

The reason you are seeing this warning is that web browsers are limited to the number of concurrent connections they can make to a host. This is mainly due do HTTP/1.1 in which browsers open on average 6 connections per hostname. This warning is typically seen on websites with a large number of requests. In the past, the only way to get around this limitation is to implement domain sharding.

However, if you are running your website over HTTPS with a provider that supports HTTP/2, this warning can usually be safely ignored now. With HTTP/2 multiple resources can now be loaded in parallel over a single connection. Over 77% of browsers now support HTTP/2 when running over HTTPS, as well as many CDN including CloudFront [2]. As per this [3] document, it is important to note that Pingdom doesn’t support HTTP/2 yet since it uses an older version of Chrome.

Please refer these [3][4][5] documents for more details.

As you are serving your website over HTTPS, you can safely ignore this warning as CloudFront and modern browsers supports HTTP/2.

================

References:

[1] Domain Sharding: https://blog.stackpath.com/glossary/domain-sharding/
[2] Amazon CloudFront now supports HTTP/2: https://aws.amazon.com/about-aws/whats-new/2016/09/amazon-cloudfront-now-supports-http2/
[3] How to Fix “Parallelize Downloads Across Hostnames” Warning: https://kinsta.com/knowledgebase/parallelize-downloads-across-hostnames/
[4] Parallelize downloads across hostnames: https://gtmetrix.com/parallelize-downloads-across-hostnames.html
[5] How To Parallelize Downloads Across Hostnames: https://www.keycdn.com/support/parallelize-downloads-across-hostnames/

I hope the above information was helpful to you. Please do not hesitate

Best regards,

Ritish G.
Amazon Web Services