So, I've been trying to add my own domain to AWS API Gateway, but cannot add an ACM certificate. Even though I was issued a certificate from the AWS Certificate Manager, I can’t select it from the “Choose a certificate” drop-down selector. It only says “No certificates in eu-west-3 match the domain name you entered”.
Within the AWS Certificate Manager, I see that the status is ”Issued”. What am I doing wrong here? I must be missing something.
Information that might be useful:
Domain was bought through Google
The ARN of the certificate contains arn:aws:acm:eu-west-3:…. Also the url of both the API gateway and Certificate Manager console contains eu-west-3
The domain I want to use in API Gateway was pasted from the certificate domain field to avoid any typos.
For what is worth, the domain I want to use is actually a subdomain.
Thanks!!
When issuing the ACM, did you also enter subdomain in the list? Also, its really helpful to issue wild card ACM for domain. eg -
main domain - mydomain.com
sub domain - my.subdomain.com
wild card - *.mydomain.com
With wild card you can map it to any sub domain.
Usually, whenever issuing SSL, it's good to include wildcard asking with main domain. If main domain has different SSL, new wildcard for subdomain should not impact it.
Related
Apologies on the broad title;my question is mainly around validating domain names in AWS Certificate Manager such that I can get valid ACM going. These are currently in Heroku and need to be migrated into AWS.
The Heroku ACM will validate a custom domain and issue a certificate if the DNS for said custom domain is a CNAME to the Heroku app's main domain. For example, if I have my-heroku-app.com and I make a CNAME from example.com to that then Heroku will successfully generate a cert and I can visit https://example.com with proper TLS. This can be verified with a simple curl -Iv https://example.com which shows a certificate issued by Let's Encrypt.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them? The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
There is absolutely nothing stopping you from creating the ACM validation CNAME records in your DNS service, to complete the creation of the certificate in ACM, while still leaving all your current DNS records in place. The ACM validation record is just a new DNS record, it doesn't replace any of your existing records, and it is only used for validation that you own the domain name, it isn't used for actual routing of any network requests.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them?
You have to go through the validation for each one, there is no getting around that. You could script it if you have a lot of them.
The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
This is incorrect. You don't have to "register a domain to AWS Certificate Manager" in order to validate the certificate and get the certificate. ACM isn't validating that you have a domain pointing to an AWS API before it issues you the certificate. It is just validating that you own the domain name, via a new CNAME record that is only used for domain ownership validation.
I suggest you start the certificate creation process in ACM, and look at the CNAME record it asks you to create. You will see that it is totally unrelated to any of your current DNS records, and does not conflict with them.
I´m probably not understanding something here and wanted to ask, if somebody could explain.
I set up an AWS ES domain and created a custom endpoint for it. I provided a ACM certificate which I uploaded upfront and created the domain with it.
Let´s say, the custom endpoint should be a subdomain of my existing ROUTE 53 Domain (eg. logging.my-r53-hosted.domain)
I didn´t do anything at Route 53, yet, just provide an imaginary subdomain as endpoint(example above).
Then what ? .....
When I create this subdomain on Route 53 as CNAME which points to the autocreated endpoint of AWS ES (eg. vpc-logging-72354762589234579.es.amazonaws.com) and curl the custom endpoint (logging.my-r53-hosted.domain) I´m getting just the aws certificate back, but not the one i provided before. That gives me a self signed cert warning. I can circumvent this with --insecure, but that´s obviously not what I want.
Can anybody explain how to do it right ?
Thanks all and again thanks for your patience :-)
Greetings!
Create a wild card certificate like *.youdomain.com in ACM.
While creating the ES cluster select the custom domain option and add Custom hostname as your subdomain (e.g: elasticsearch.yourdomain.com) And for certificate chose wildcard certificate from ACM.
If you have cogito auth for kibana You will need also need to follow these steps:
Go to Cognito pool
Under App integration > App client settings
Update Sign-in and sign-out URLs according to your subdomain.
I'm following the serverless-stack guide and have a website hosted in an Amazon S3 bucket. I purchased a domain using GoDaddy and I have set up cloudfront to work with this bucket, then have used AWS certificate manager to generate SSL certificates for my domain (both www.my_domain.com and my_domain.com).
In GoDaddy I then configured DNS forwarding to point to my cloudfront resource.
This all works nicely, and if I go to my_domain.com in a browser then I see my website.
However, I can't get SSL working. If I go to the https:// version of my website then I see a not secure error in the chrome address bar which shows a certificate pointing to shortener.secureserver.net rather than my own website.
Could someone point me at a way around this? Looking through S.E. and using google it seems that Amazon's route53 might be able to help, but I can't figure out how to do this.
Thanks!
(edit) To make things more clear, this is what I see in Chrome if I connect to https://my_website.com or to https://www.my_website.com
The warning message:
The certificate details:
What I do not understand is why, after configuring an AWS certificate for my domain, I see a certificate for shortner.secureserver.com rather than a certificate for my_website.com.
Go daddy has problems and does not redirect to https, There are two ways, the first is to change domain registrar and the second is the easiest, which is: Create a hosted zone on AWS router 53 with your domain name
Create 2 type A records, one for the root (of your domain) and one for www that point to your cloudfront. Router 53 allows you to create a type A record without having an IP, because it directly points to a cloudfront instance that you indicate, that's the best
Then in go daddy it gives you the option to change name servers and puts the ones assigned by aws in hosted zone with the record that says NS and you put those 4 in Godaddy, replacing the ones that had
Note: SAVE THE NAME SERVERS THAT YOU HAVE IN GO DADDY BEFORE REPLACING THEM, IN CASE YOU HAVE ANY PROBLEM, YOU CAN REPLACE THEM AGAIN
You have to wait at least a few hours until all the name servers are updated, you can use the who.is page to see if the DNS have already been updated with those of aws.
It turns out that this is not possible with GoDaddy. If anyone else reading this has a similar problem, only current solution is to cancel your domain registration and register with someone else.
(edit) As #aavrug mentions in their comment, Amazon now have a guide for this.
When you defined your CloudFront you can defined whether you want to use, and you can choose HTTPS only. In this case HTTP requests will be automatically redirected to HTTPS. Have in mind CloudFront changes may take a while to be replicated and your browser cache it as well, so the best way is to make a change, wait for the deployment and then check it in a new cognito browser.
It goes without saying that your certificate must be valid and verified as well.
It might be something wrong with your certificate or with your domain.
If you serving your content over HTTPS you must provide a SSL Certificate in Cloudfront. Have you done that?
Have you added your domain on Alternative Domain Names (CNAMEs)?
Please have a look on the image below:
-> AWS provides Free SSL Certificates to be used with Cloudfront, so you might want to use it (easier than you import your SSL from go daddy).
You can create a free SSL certificate on AWS and easily attach it to your cloudfront distribution.
-> You can also transfer your domains to AWS Route53. It is easy to integrate with any AWS Service and easy to use/maintain :)
I wrote a complete guide on my blog telling how you can add Custom SSL and attach custom domain to Cloudfront distribution, it might be useful :)
https://lucasfsantos.com/posts/deploy-react-angular-cloudfront/
I am looking for some advice as how to most cost efficiently setup SSL for a subdomain e.g https://images.example.com.
Images are hosted in AWS S3 and I have a cloudfront distribution pointing to that bucket.
I have purchased a single domain SSL cert from Comodo and successfully added it to my cloudfront distribution. That part was easy as pie.
However, when loading images on the subdomain I get a "Not secure / certificate invalid" in the browser bar.
Is this because I require a wildcard SSL cert?
I have not tested that the SSL cert works on the main domain. Reason being there is currently a production site that I don't want to interfere with.
Before I rush out and purchase a much more expensive wildcard SSL cert, I want to make sure it is required.
I have a single subdomain for image hosting. I don't expect to ever ad more subdomains. What if I just purchase two single domain certs?
What are my options?
Try using ACM (https://aws.amazon.com/certificate-manager/ ) to issue an AWS issued wildcard certificate for your domain and use that instead?
As to why your existing cert won't work - does it have the domain in the cert (eg images.domain.com) as either the primary domain or as a SAN? If not, it won't work.
If you don't want to use a wildcard, you can use an ACM cert (or a cert you purchase from somewhere else) and issue it for the domain subdomain only? You don't have to use a wildcard but from a cost point of view if you are purchasing them, its often more cost-effective (although there are of course security concerns to consider). If you are using ACM, the certs are free - either domain specific or wildcard.
I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.
UPDATE
I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?
UPDATE2
I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:
curl -L -i -v https://sub.mydomain.com/
NOTE: It seems this method doesn't work anymore as AWS now only accepts certificates from certain authorities. I haven't tested it myself, but the answer by Gunar looks promising.
There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:
API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.
There is a solution, however. Here are the steps that I followed when I recently set this up:
Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.
That's it. Enjoy your new highly available API served from your custom domain!
Set up Amazon's API Gateway Custom Domain with CloudFlare
In your AWS management console go to the API Gateway service and select Custom Domain Names from the left menu.
Click the Create button.
Log into CloudFlare, select your domain and open the Crypto tab
Go to SSL and set your SSL mode to "Full (Strict)" to avoid a redirect loop.
Go to Origin Certificates and click Create Certificate
Let CloudFlare generate a private key and a CSR and choose RSA as the private key type
Make sure that the hostname for your custom API domain is covered. (e.g. api.mydomain.com. You can specifically configure this custom domain or use a wildcard such as *.mydomain.com as is configured by default.
Pick PEM as the key format which is selected by default.
In AWS switch to region US-EAST-1 and goto the Certificate Manager.
Click Import a Certificate.
Copy the certificate body from your CloudFlare certificate to Certificate body to the configuration of the custom domain in the AWS Management Console.
Copy the Private key to the certificate private key field in the console
In the certificate chain copy the Cloudflare Origin CA - RSA Root which can be found here.
Enter your custom domain name in the AWS console and a name for your certificate
Now the custom domain name will be created in AWS CloudFront. It can take up to an hour before the domain becomes active.
The next thing you need to do is set up the mappings of the custom domain in the AWS Console.
The final step is to create a new CNAME Record in CloudFlare to link your domain to the CloudFront url. When you open the settings page of your custom domain in the AWS console copy the Distribution domain name. This is the domain you need to use when creating the new CNAME Record.
Source
I couldn't get any of the other answers to work. So I ended up having AWS generate the certificate instead of using a Cloudflare Origin one. That's because AWS wouldn't accept my Cloudflare certificate, even when the chain was provided. I couldn't see Cloudflare in Mozilla's Certificate Authority list (which is what AWS relies on, according to the docs) so I guess that makes sense.
Here's the outline of my solution:
Create AWS Route53 Zone
Create AWS ACM Certificate (must be in us-east-1) with validation method DNS
Create Cloudflare DNS Record with the output of (2)
Create AWS API Gateway Domain Name
Create Cloudflare DNS CNAME Record pointing '#' (root domain) to the Cloudfront domain name from step (4)
Create AWS API Gateway Base Path Mapping
This should be roughly it. May this help someone. Feel free to ask questions.
Both existing answers to this question are correct, but if the issue still persists even after following these directions perfectly, try going into the API Gateway settings, navigate to "Custom Domain Name" and configure the Base Path Mappings.
This was the missing step that solved all my problems.