← Back to Blog

Adding newsum.io Domain to CloudFront: AWS Multi-Domain Setup

AWS 12 min read

Recently I registered newsum.io as an additional domain for my website while dealing with some AWS support issues on my original newsum.me domain. Here's how I added it to my existing CloudFront distribution with SSL certification.

The Situation

My website was already running on dev.newsum.me with a fully functional CloudFront distribution, but newsum.me and www.newsum.me were blocked by a phantom CloudFront CNAME conflict that required AWS support intervention. Rather than wait, I decided to register newsum.io as my new production domain.

What You'll Need

  • AWS CLI installed and configured
  • An existing CloudFront distribution
  • A registered domain (I used newsum.io)
  • Route 53 for DNS management
  • About 30-45 minutes for DNS propagation

Step 1: Request ACM Certificate

First, I needed to request a new SSL certificate that covers both the new newsum.io domains and my existing domains:

aws acm request-certificate \
    --domain-name "newsum.io" \
    --subject-alternative-names "*.newsum.io" "www.newsum.io" "newsum.me" "*.newsum.me" \
    --validation-method DNS \
    --region us-east-1

Note: ACM certificates for CloudFront must be requested in us-east-1 region.

Step 2: DNS Validation Setup

Since I registered newsum.io through Route 53, it automatically created a hosted zone. I had to add the certificate validation CNAME records to the correct hosted zone:

# Check which hosted zones exist
aws route53 list-hosted-zones-by-name --dns-name newsum.io

# Add validation records to the active zone
aws route53 change-resource-record-sets \
    --hosted-zone-id Z03563971WQ80XWYO84FM \
    --change-batch file:///tmp/validation-records.json

Step 3: DNS Records for Website

While waiting for certificate validation, I set up the A records pointing to CloudFront:

{
    "Changes": [
        {
            "Action": "UPSERT",
            "ResourceRecordSet": {
                "Name": "newsum.io",
                "Type": "A",
                "AliasTarget": {
                    "DNSName": "d9cu7qi6e8d75.cloudfront.net",
                    "EvaluateTargetHealth": false,
                    "HostedZoneId": "Z2FDTNDATAQYW2"
                }
            }
        }
    ]
}

Step 4: Certificate Validation Wait

DNS validation took about 20 minutes. I monitored it with:

aws acm describe-certificate \
    --certificate-arn arn:aws:acm:us-east-1:965975688918:certificate/eb46a4ff... \
    --region us-east-1 \
    --query 'Certificate.Status'

Step 5: Update CloudFront Distribution

Once the certificate was validated, I updated my CloudFront distribution to include the new domains:

# Get current config and ETag
aws cloudfront get-distribution-config --id E1PWAEV26FJH37 > /tmp/cf-current.json
ETAG=$(jq -r '.ETag' /tmp/cf-current.json)

# Update with new domains and certificate
jq '.DistributionConfig | 
    .Aliases.Quantity = 3 | 
    .Aliases.Items = ["dev.newsum.me", "newsum.io", "www.newsum.io"] |
    .ViewerCertificate.ACMCertificateArn = "arn:aws:acm:us-east-1:965975688918:certificate/eb46a4ff..."' \
    /tmp/cf-current.json > /tmp/cf-updated.json

# Apply the update
aws cloudfront update-distribution \
    --id E1PWAEV26FJH37 \
    --distribution-config file:///tmp/cf-updated.json \
    --if-match "$ETAG"

Step 6: Cache Invalidation

Finally, I invalidated the CloudFront cache to ensure fresh content:

aws cloudfront create-invalidation \
    --distribution-id E1PWAEV26FJH37 \
    --paths "/*"

Testing the Setup

After about 15 minutes for CloudFront deployment, both domains were working:

curl -I https://newsum.io
curl -I https://www.newsum.io

Both returned HTTP/2 200 responses with proper SSL certificates!

Key Takeaways

  • Multiple hosted zones: When registering through Route 53, it creates its own hosted zone - make sure you're using the right one.
  • Certificate timing: DNS validation can take 5-30 minutes, be patient.
  • ETag handling: CloudFront updates require the current ETag for concurrency control.
  • Regional requirements: ACM certificates for CloudFront must be in us-east-1.
  • GitHub Actions compatibility: No changes needed to existing CI/CD since it uses the same S3 bucket and distribution.

Final Result

Now I have three working domains:

  • https://newsum.io - Primary production domain
  • https://www.newsum.io - Production www subdomain
  • https://dev.newsum.me - Development domain

This gives me a fully functional production domain while AWS support resolves the original newsum.me conflict. I might not even bother fixing it and dump the .me domain as .io is cooler! We will see.