diff --git a/terraform.tf b/terraform.tf
index 9deb758..88a7e45 100644
--- a/terraform.tf
+++ b/terraform.tf
@@ -4,7 +4,7 @@
 # Terraform configuration
 
 terraform {
-  required_version = ">= 0.10.0"
+  required_version = "~> 0.10"
   backend "s3" {
     bucket = "mazgi-sakemeshi-aws-terraform"
     key    = "global/tfstate"
@@ -13,6 +13,7 @@ terraform {
 }
 
 provider "aws" {
+  version = "~> 1.9.0"
   access_key = "${var.aws_access_key}"
   secret_key = "${var.aws_secret_key}"
   region = "us-east-1" # N. Virginia
@@ -45,6 +46,43 @@ resource "aws_route53_record" "sakemeshi-love" {
   }
 }
 
+# --------------------------------
+# ACM: sakemeshi.love, *.sakemeshi.love
+# Need AWS provider v1.9 or more.
+# see: https://github.com/terraform-providers/terraform-provider-aws/pull/2813
+
+resource "aws_acm_certificate" "sakemeshi-love" {
+  domain_name = "sakemeshi.love"
+  subject_alternative_names = ["*.sakemeshi.love"]
+  validation_method = "DNS"
+}
+
+# for 'sakemeshi.love'
+resource "aws_route53_record" "certificate-validation-sakemeshi-love" {
+  name = "${aws_acm_certificate.sakemeshi-love.domain_validation_options.0.resource_record_name}"
+  type = "${aws_acm_certificate.sakemeshi-love.domain_validation_options.0.resource_record_type}"
+  zone_id = "${aws_route53_zone.sakemeshi-love.zone_id}"
+  records = ["${aws_acm_certificate.sakemeshi-love.domain_validation_options.0.resource_record_value}"]
+  ttl = 60
+}
+
+## for '*.sakemeshi.love'
+#resource "aws_route53_record" "certificate-validation-_-sakemeshi-love" {
+#  name = "${aws_acm_certificate.sakemeshi-love.domain_validation_options.1.resource_record_name}"
+#  type = "${aws_acm_certificate.sakemeshi-love.domain_validation_options.1.resource_record_type}"
+#  zone_id = "${aws_route53_zone.sakemeshi-love.zone_id}"
+#  records = ["${aws_acm_certificate.sakemeshi-love.domain_validation_options.1.resource_record_value}"]
+#  ttl = 60
+#}
+
+resource "aws_acm_certificate_validation" "sakemeshi-love" {
+  certificate_arn = "${aws_acm_certificate.sakemeshi-love.arn}"
+  validation_record_fqdns = [
+    "${aws_route53_record.certificate-validation-sakemeshi-love.fqdn}",
+    "${aws_route53_record.certificate-validation-sakemeshi-love.fqdn}"
+  ]
+}
+
 # --------------------------------
 # S3 buckets: sakemeshi.love
 
@@ -138,6 +176,7 @@ resource "aws_cloudfront_distribution" "sakemeshi-love-website-prod-distribution
   }
 
   viewer_certificate {
-    cloudfront_default_certificate = true
+    acm_certificate_arn = "${aws_acm_certificate.sakemeshi-love.arn}"
+    ssl_support_method = "sni-only"
   }
 }