Apologies on the broad title;my question is mainly around validating domain names in AWS Certificate Manager such that I can get valid ACM going. These are currently in Heroku and need to be migrated into AWS.
The Heroku ACM will validate a custom domain and issue a certificate if the DNS for said custom domain is a CNAME to the Heroku app's main domain. For example, if I have my-heroku-app.com and I make a CNAME from example.com to that then Heroku will successfully generate a cert and I can visit https://example.com with proper TLS. This can be verified with a simple curl -Iv https://example.com which shows a certificate issued by Let's Encrypt.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them? The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
There is absolutely nothing stopping you from creating the ACM validation CNAME records in your DNS service, to complete the creation of the certificate in ACM, while still leaving all your current DNS records in place. The ACM validation record is just a new DNS record, it doesn't replace any of your existing records, and it is only used for validation that you own the domain name, it isn't used for actual routing of any network requests.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them?
You have to go through the validation for each one, there is no getting around that. You could script it if you have a lot of them.
The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
This is incorrect. You don't have to "register a domain to AWS Certificate Manager" in order to validate the certificate and get the certificate. ACM isn't validating that you have a domain pointing to an AWS API before it issues you the certificate. It is just validating that you own the domain name, via a new CNAME record that is only used for domain ownership validation.
I suggest you start the certificate creation process in ACM, and look at the CNAME record it asks you to create. You will see that it is totally unrelated to any of your current DNS records, and does not conflict with them.
Related
I deployed a DRF application on Elastic Beanstalk and now I need to make it https.
I requested a public certificate from AWS ACM using EB URL for domain name but got the following message.
You cannot request a certificate for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com.
Now the question is can I get a certificate without spending money on domain?
I tried to get a free subdomains but none of them had the functionality to manage DNS settings.
can I get a certificate without spending money on domain?
No. For valid SSL certificate you need your own domain, or domain that you control. There are free domain providers, but for anything other than testing, you need to pay for a domain.
I'm developing a SaaS application on Amazon Elasticbeanstalk: my-saas.com and for every registered user my app create custom subdomain username.my-saas.com with wildcard SSL.
I'm trying to develop new feature custom domains. Users will be able to choose between a subdomain and their domain like app.my-user-domain.com.
I know this will require the user to add a CNAME DNS record pointing to... my Elasticbeanstalk Instance or my subdomain?
And how can I set SSL for this domains automatically on AWS?
You would need to request an SSL certificate from the ACM service for the customer's domain, then Amazon would give you a DNS record to create in the my-user-domain.com DNS server. You would then have to ask your users to create that additional DNS record on their end, and then wait on the ACM service to validate the domain and issue the SSL certificate. After that you could add the SSL certificate to your load balancer.
I would have a form that the user enters their custom domain into, after which you could go ahead and create the SSL certificate request in AWS via the API. Then you could present them two DNS records to create:
The DNS record they need to create, which will point to your SaaS application.
The DNS record they need to create to validate the SSL certificate request.
Then you would need some method for the user to click a button in your application that says "I've created those DNS records". When that happens you would query the AWS API to see if the SSL certificate has been issued by Amazon yet, and if so attach it to the load balancer. If it has not been issued yet you would have to tell the user to try again later.
I have an ELB instance installed on my AWS account (http://editoradbosco.us-east-2.elasticbeanstalk.com), and it is working normally. My domain is installed on Hostgator (https://centrodombosco.org), and on this, I have a CNAME that points to my AWS endpoint (http://editora.centrodombosco.org).
However, I need to use an HTTPS (SSL) protocol. How can I proceed? I have an SSL contracted on Hostgator for this subdomain, but Hostgator has informed me that I need to make adjustments to AWS so that it works, but I do not know how to proceed.
How can I make this work?
I tried to create an SSL by Certificate Manager on AWS, appointing the CNAMES on my DNS Panel on Hostgator. But it fails. I guess its not possible to use AWS Certificates outside AWS Domains.
There are two ways you can do this.
Since you already have an SSL from Host Gator, you can import that certificate to AWS Certificate Manager (instructions here). Once you import a certificate it is immediately considered validated and you can immediately proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
Alternatively, if you’d like to use Amazon Certificate Manager but for some reason the DNS validation isn’t working, or its not possible for you to validate ownership of the domain using the DNS method, Amazon Certificate Manager also offers you the option to use email to validate your ownership of the domain, as described here. Once your ownership of the domain is validated you can then proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
As a side note, you may wish to consider using Route53 to handle DNS for your domain. Route53 is tightly integrated with AWS services such as ACM and, as is the case with ACM, services requiring custom DNS entries will often offer to make the correct DNS entries directly in to your Route53 hosted zone on your behalf.
I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.
UPDATE
I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?
UPDATE2
I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:
curl -L -i -v https://sub.mydomain.com/
NOTE: It seems this method doesn't work anymore as AWS now only accepts certificates from certain authorities. I haven't tested it myself, but the answer by Gunar looks promising.
There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:
API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.
There is a solution, however. Here are the steps that I followed when I recently set this up:
Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.
That's it. Enjoy your new highly available API served from your custom domain!
Set up Amazon's API Gateway Custom Domain with CloudFlare
In your AWS management console go to the API Gateway service and select Custom Domain Names from the left menu.
Click the Create button.
Log into CloudFlare, select your domain and open the Crypto tab
Go to SSL and set your SSL mode to "Full (Strict)" to avoid a redirect loop.
Go to Origin Certificates and click Create Certificate
Let CloudFlare generate a private key and a CSR and choose RSA as the private key type
Make sure that the hostname for your custom API domain is covered. (e.g. api.mydomain.com. You can specifically configure this custom domain or use a wildcard such as *.mydomain.com as is configured by default.
Pick PEM as the key format which is selected by default.
In AWS switch to region US-EAST-1 and goto the Certificate Manager.
Click Import a Certificate.
Copy the certificate body from your CloudFlare certificate to Certificate body to the configuration of the custom domain in the AWS Management Console.
Copy the Private key to the certificate private key field in the console
In the certificate chain copy the Cloudflare Origin CA - RSA Root which can be found here.
Enter your custom domain name in the AWS console and a name for your certificate
Now the custom domain name will be created in AWS CloudFront. It can take up to an hour before the domain becomes active.
The next thing you need to do is set up the mappings of the custom domain in the AWS Console.
The final step is to create a new CNAME Record in CloudFlare to link your domain to the CloudFront url. When you open the settings page of your custom domain in the AWS console copy the Distribution domain name. This is the domain you need to use when creating the new CNAME Record.
Source
I couldn't get any of the other answers to work. So I ended up having AWS generate the certificate instead of using a Cloudflare Origin one. That's because AWS wouldn't accept my Cloudflare certificate, even when the chain was provided. I couldn't see Cloudflare in Mozilla's Certificate Authority list (which is what AWS relies on, according to the docs) so I guess that makes sense.
Here's the outline of my solution:
Create AWS Route53 Zone
Create AWS ACM Certificate (must be in us-east-1) with validation method DNS
Create Cloudflare DNS Record with the output of (2)
Create AWS API Gateway Domain Name
Create Cloudflare DNS CNAME Record pointing '#' (root domain) to the Cloudfront domain name from step (4)
Create AWS API Gateway Base Path Mapping
This should be roughly it. May this help someone. Feel free to ask questions.
Both existing answers to this question are correct, but if the issue still persists even after following these directions perfectly, try going into the API Gateway settings, navigate to "Custom Domain Name" and configure the Base Path Mappings.
This was the missing step that solved all my problems.
I'm in the process of moving from another cloud provider. Currently I'm just testing in the default environment that has a url looking like this:
http://example-env-1.us-east-1.elasticbeanstalk.com
I'm trying to get SSL/HTTPS working for this address. I then plan using a CNAME to redirect to this address and eventually move the nameservers over completely.
However, after setting everything else up successfully I get to the point of adding the certificates and it just says "failed":
And even though I have my actual "example.com" ssl certificate successfully issued nothing shows up in the load balancer certificate selection dropdown (and yes I have refreshed):
How do I enable SSL using the Certificate Manager?
That's because you are trying to request a cert for the elasticbeanstalk.com domain. You will not be able to get a cert for that domain as you are not the owner of it :). Nor can you setup https for the default elastic beanstalk domains they give you.
You should use ACM to get a certificate for your custom domain, the one you plan on making a CNAME record for.
Example:
If you were to own say the domain amyneville.com. You could create a cert through ACM for that domain.
If you use your custom domain, you do NOT need a to get a cert for the elasticbeanstalk.com domain.
A couple more things:
You cannot create a CNAME record on a TLD (amyneville.com). You can create the CNAME record for www.amyneville.com. So if you want to use the CNAME approach you will have to create a non-www redirect to www..
But better then a CNAME would be to use an A record and point it to the elastic beanstalk resource that was setup. So the load balancer that was created for you, use it's A record.
Last but not least, you cannot apply the ACM cert through the elastic beanstalk console. Instead you will have to use the AWS CLI tools. Here's a link on how to do it: https://stackoverflow.com/a/35173500/1445460
I was looking for this myself and found this useful blog post from one of the Amazon team ...
https://medium.com/#arcdigital/enabling-ssl-via-aws-certificate-manager-on-elastic-beanstalk-b953571ef4f8#.frcj0rj4t
Whilst you can't use the console to select the certificate as stated in your question you can use the Elastic Beanstalk CLI to set the certificate to one you have created in Certificate Manager.