I have a webservice which provides simple site constructor functionality with payment page.

User can select purchase domain e.g. user.com, select some template and point this domain with CNAME to my webservice e.g. site.constructor.com.

And there are a lot of such user's sites, and all they point to the site.constructor.com.

Webservice site is covered with wildcard certificate *.constructor.com, hosted on AWS and SSL certificate is applied to the Load Balancer HTTPS handler.

Now when anyone navigates https://user.com he gets appropriate content from sites.constructor.com, but before that he receives warning window, that user.com doesn't contain correct certificate (because host certificate become used).

And now I need to make https://user.com secured, but can't understand how to do that.

I have no any load balancer configuration, or webservice configuration for this domain. the only entrance is CNAME and DB record with user domain name. So I can't even simply purchase a new certificate for user domain and apply it.

What is the best way to secure CNAME domain?

UPD.1. user's domain access flow

1. Navigate _https://user.com_
    there is only domain control panel with CNAME which points to the _site.constructor.com_
2. call to the AWS load balancer of _site.constructor.com_ with applied SSL (SSL is NOT for _user.com_)
3. access to the EC2, etc...

Where should be user.com certificate be applied? is that possible to use self-generated certificate in this case for user.com?


There being a CNAME record rather than a direct address record (A/AAAA) is not a factor. The certificate verification is based on the hostname in the location URL.

For navigating to https://example.com/ to work, you would need a certificate that is valid for example.com. Ie, a certificate that either has example.com as the Subject CN (Common Name) or that has example.com in its SAN (Subject Alternative Name) list.


In addition to Håkan Lindqvist, an answer regarding your update:

Where should be user.com certificate be applied?

At the machine which terminates your HTTPS / TLS.

Is that possible to use self-generated certificate in this case for user.com?

Of course...but using these would give your visitors cert warnings (assuming the CA cert isn't known / trusted in their browsers). If you would like to prevent this, you need to get certs signed by a known and "trusted" CA. (If we're talking about many domains, maybe have a look at Let's Encrypt: "It's free, automated and open".)