I created my certificate in AWS ACS, and updated the CN NAME and CN VALUES in google domain. But, still it's saying pending validation. How long does it take for validation. Not sure if am making any mistake could someone please share steps how to have certificates created and used in google domain. I was able to connect from google domains to route53.
Finally was able to resolve it, am using custom ns servers. Instead I have to use default one and give the CNAME there and AWS validated the certs within few minutes.
Related
I've deployed an app to Elastic Beanstalk and now in order to have htpps I need to add port 443 in ELB and mention the SSL certificate. Now as I don't have one I'm trying to create. I got the domain after deploying frontend to Firebase. I found that after requesting the certificate I need to create a CNAME record and use values provided in AWS requested certificate in order to validate it I just can't seem to find the way to create it in Firebase. Am I doing something wrong? Any help is appreciated
I tried to create the cname in AWS Route 53 hosted zones and expected the ssl to be validated but I think I need to create the record in Firebase I don't know how to do it.
You would need to identify where your DNS records are being managed. Once you get the records added at the right place your certificate will be validated successfully.
Apologies on the broad title;my question is mainly around validating domain names in AWS Certificate Manager such that I can get valid ACM going. These are currently in Heroku and need to be migrated into AWS.
The Heroku ACM will validate a custom domain and issue a certificate if the DNS for said custom domain is a CNAME to the Heroku app's main domain. For example, if I have my-heroku-app.com and I make a CNAME from example.com to that then Heroku will successfully generate a cert and I can visit https://example.com with proper TLS. This can be verified with a simple curl -Iv https://example.com which shows a certificate issued by Let's Encrypt.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them? The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
There is absolutely nothing stopping you from creating the ACM validation CNAME records in your DNS service, to complete the creation of the certificate in ACM, while still leaving all your current DNS records in place. The ACM validation record is just a new DNS record, it doesn't replace any of your existing records, and it is only used for validation that you own the domain name, it isn't used for actual routing of any network requests.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them?
You have to go through the validation for each one, there is no getting around that. You could script it if you have a lot of them.
The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
This is incorrect. You don't have to "register a domain to AWS Certificate Manager" in order to validate the certificate and get the certificate. ACM isn't validating that you have a domain pointing to an AWS API before it issues you the certificate. It is just validating that you own the domain name, via a new CNAME record that is only used for domain ownership validation.
I suggest you start the certificate creation process in ACM, and look at the CNAME record it asks you to create. You will see that it is totally unrelated to any of your current DNS records, and does not conflict with them.
I want to add an SSL certificate to my application that is currently deployed on Elastic Beanstalk. I had created the certificate using AWS Certificate Manager using both the validation methods but none of them worked. I neither got an email nor adding the CNAME to godaddy as well as Route 53 got it validated. I had followed the exact steps specified in the documentation. I am the owner of the domain so I should have gotten an email but I didn't. Any idea what might I might be doing wrong?
Also, is there another way to generate the SSL certificate besides AWS CM for my application?
I'm following the serverless-stack guide and have a website hosted in an Amazon S3 bucket. I purchased a domain using GoDaddy and I have set up cloudfront to work with this bucket, then have used AWS certificate manager to generate SSL certificates for my domain (both www.my_domain.com and my_domain.com).
In GoDaddy I then configured DNS forwarding to point to my cloudfront resource.
This all works nicely, and if I go to my_domain.com in a browser then I see my website.
However, I can't get SSL working. If I go to the https:// version of my website then I see a not secure error in the chrome address bar which shows a certificate pointing to shortener.secureserver.net rather than my own website.
Could someone point me at a way around this? Looking through S.E. and using google it seems that Amazon's route53 might be able to help, but I can't figure out how to do this.
Thanks!
(edit) To make things more clear, this is what I see in Chrome if I connect to https://my_website.com or to https://www.my_website.com
The warning message:
The certificate details:
What I do not understand is why, after configuring an AWS certificate for my domain, I see a certificate for shortner.secureserver.com rather than a certificate for my_website.com.
Go daddy has problems and does not redirect to https, There are two ways, the first is to change domain registrar and the second is the easiest, which is: Create a hosted zone on AWS router 53 with your domain name
Create 2 type A records, one for the root (of your domain) and one for www that point to your cloudfront. Router 53 allows you to create a type A record without having an IP, because it directly points to a cloudfront instance that you indicate, that's the best
Then in go daddy it gives you the option to change name servers and puts the ones assigned by aws in hosted zone with the record that says NS and you put those 4 in Godaddy, replacing the ones that had
Note: SAVE THE NAME SERVERS THAT YOU HAVE IN GO DADDY BEFORE REPLACING THEM, IN CASE YOU HAVE ANY PROBLEM, YOU CAN REPLACE THEM AGAIN
You have to wait at least a few hours until all the name servers are updated, you can use the who.is page to see if the DNS have already been updated with those of aws.
It turns out that this is not possible with GoDaddy. If anyone else reading this has a similar problem, only current solution is to cancel your domain registration and register with someone else.
(edit) As #aavrug mentions in their comment, Amazon now have a guide for this.
When you defined your CloudFront you can defined whether you want to use, and you can choose HTTPS only. In this case HTTP requests will be automatically redirected to HTTPS. Have in mind CloudFront changes may take a while to be replicated and your browser cache it as well, so the best way is to make a change, wait for the deployment and then check it in a new cognito browser.
It goes without saying that your certificate must be valid and verified as well.
It might be something wrong with your certificate or with your domain.
If you serving your content over HTTPS you must provide a SSL Certificate in Cloudfront. Have you done that?
Have you added your domain on Alternative Domain Names (CNAMEs)?
Please have a look on the image below:
-> AWS provides Free SSL Certificates to be used with Cloudfront, so you might want to use it (easier than you import your SSL from go daddy).
You can create a free SSL certificate on AWS and easily attach it to your cloudfront distribution.
-> You can also transfer your domains to AWS Route53. It is easy to integrate with any AWS Service and easy to use/maintain :)
I wrote a complete guide on my blog telling how you can add Custom SSL and attach custom domain to Cloudfront distribution, it might be useful :)
https://lucasfsantos.com/posts/deploy-react-angular-cloudfront/
I run a SaaS with multiple subdomains and with the option for customers to use their own domains too.
This means, that we host eg:
customer1.ourdomain.com
customer2.ourdomain.com
www.customer3.com
www.customer4.com
When creating a certificate through ACM, I have to confirm the new certificate for all domains, that's fair, as I can live with that.
But our customers can't live with confirming their domain everytime we add a new certificate (since we still can't update/add domains to an existing cert.).
My question is, can I, somehow intercept the mails that are being send out, when the domains has to be confirmed?
Of cause I can't always get their mails, but just for eg. hostmaster#customer3.com
The domains can be moved to Route 53 if needed, the customers usually have had them in a long time, hosted somewhere else. We usually just make a CNAME to our ELB.
How do other people deal with this?
Best regards, thanks in advance
Currently, you have two options here:
Firstly, AWS allows you to configure the base domain name to which you want the validation email to be sent. For instance, you are requesting SSL for subdomains like *.customer1.ourdomain.com or *.customer2.ourdomain.com you can specify ourdomain.com as the validation domain.
Can I configure the email addresses to which the certificate approval
request is sent? No, but you can configure the base domain name to
which you want the validation email to be sent. The base domain name
must be a superdomain of the domain name in the certificate request.
For example, if you want to request a certificate for
server.domain.example.com but want to direct the approval email to
admin#domain.example.com, you can do so using the AWS CLI or API. See
ACM CLI Reference and ACM API Reference for further details.
To enhance this process even further you can try acmagent pip library to automate you SSL confirmation
pip install acmagent
Requesting SSL
$ acmagent request-certificate --domain-name *.dev.example.com --validation-domain example.com
12345678-1234-1234-1234-123456789012
Approving SSL
$ acmagent confirm-certificate --certificate-id 12345678-1234-1234-1234-123456789012
More examples can be found here.
The second option is to create a MX record in the hosted zone pointing to the SES service and use Lambda function to parse the confirmation email body. I found an existing project that looks like is doing this already: aws-acm-certificate-request-approver
Hopefully, that helps.