I've used the "validate by email" option for getting an ACM certificate for my website (We can call it example.com).
In the details section of the validation status, I see that an email was sent to:
webmaster#example.com
postmaster#example.com
hostmaster#example.com
admin#example.com
administrator#example.com
The problem is that I have no idea where this emails are going, or how to check them. I never remember setting up any sort of email associated with my domain but I do have my domain on a hosted zone using Route53.
Amazon's documentation fails to provide any help on this. I am wanting to actually access the emails that were sent from ACM (are they in S3? Route53? Do I need command-line?).
Related
Apologies on the broad title;my question is mainly around validating domain names in AWS Certificate Manager such that I can get valid ACM going. These are currently in Heroku and need to be migrated into AWS.
The Heroku ACM will validate a custom domain and issue a certificate if the DNS for said custom domain is a CNAME to the Heroku app's main domain. For example, if I have my-heroku-app.com and I make a CNAME from example.com to that then Heroku will successfully generate a cert and I can visit https://example.com with proper TLS. This can be verified with a simple curl -Iv https://example.com which shows a certificate issued by Let's Encrypt.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them? The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.
There is absolutely nothing stopping you from creating the ACM validation CNAME records in your DNS service, to complete the creation of the certificate in ACM, while still leaving all your current DNS records in place. The ACM validation record is just a new DNS record, it doesn't replace any of your existing records, and it is only used for validation that you own the domain name, it isn't used for actual routing of any network requests.
Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them?
You have to go through the validation for each one, there is no getting around that. You could script it if you have a lot of them.
The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API + Certificate Manager.
This is incorrect. You don't have to "register a domain to AWS Certificate Manager" in order to validate the certificate and get the certificate. ACM isn't validating that you have a domain pointing to an AWS API before it issues you the certificate. It is just validating that you own the domain name, via a new CNAME record that is only used for domain ownership validation.
I suggest you start the certificate creation process in ACM, and look at the CNAME record it asks you to create. You will see that it is totally unrelated to any of your current DNS records, and does not conflict with them.
I am hosting a static website with AWS S3 and CloudFront but came up with the problem that I can't receive emails on the registrars email server (strato.de).
The registrar where I reserved my domain name and email server is currently "Strato.de"
In order to host my static website I created a S3 Bucket on AWS and a CloudFront distribution to use TLS/SSL and HTTPS.
I configured my registrar to point to the aws nameservers in the Route 53 configuration, this works perfectly and my website is publibly available.
The problem I am facing is that my emails are also redirected to the aws configuration because the nameservers transfer all traffic instead of only my website.
T
To solve this problem I thought about creating an A-record in my registrar and point to the IP of the CloudFront distribution. Unforntunately they don't use static IP-Adresses. Secondly if I use the S3 bucket directly instead of CloudFront there would be not HTTPS.
I am a beginner in this field and just want to receive emails that are sent to the domain name I reserved at the registrar and at the same time host my website via CloudFront.
I appreciate any help.
Unfortunately, it's not possible, I had a call with Strato and they said you have to use their DNS in order to benefit from their mail service.
My advice will be to use Google suite or Zoho who have more experience in the field, as well you will find a lot of articles explaining how to solve this common issue.
I want to send email using AWS Simple Email Service from my domain email address, but during configuration, finding verification issue by AWS.
1) I have purchase domain from GoDaddy and create email with that domain.
2) Register my domain in AWS portal.
2) To enable email serviice, AWS provided me TXT and CNAME record, which were supposed to be set in DNS record in GoDaddy Portal. I hhave done that setup.
3) AWS supposed to verify those record fron DNS setting but it is not able to verify.
Please help, Thanks in Advance :)
Just for better visibility, #michael-sqlbot's answer is working.
If you have put-this-into-host.your-domain.com then just use put-this-into-host, because the domain will automatically be suffixed.
So I have my amazon SES account, my Gsuite account, and my domain DNS settings.
I used Route 53 to generate my DNS stuff and used "use other name servers" and then entered my Amazon Route 53 name servers instead. I also added Gsuite MX records within my Route 53 and INBOUND WORKS...
However, I cannot for the life of me get outbound to work using my SES account. I tried generating an SMTP key on SES but cant find where to put it in Gsuite settings. I called Google and they said you need to put Googles SMTP settings into amazon but cant find that either... I just want to use Gsuite UI while having the emails sent out via my SES account.
On a smaller note, I'm having SPF verification issues too. I added "v=spf1 include:amazonses.com -all" on my Route 53 settings but it's saying "You are not allowed to use one of your sender email addresses" and throwing my emails into spam.
I'm not the most technical guy so a lot of it is learning as I go so any help would be appreciated.
Thank you all again!
Looks like you are not clear on where things should be.
Your MX records are only receiving incoming emails, you can use any number of outbound servers as long as you verify those ones.
Send email via GSuite sould work fine, since GSuites verifies all your identify with the DNS entries.
SES Process:
Verify your domain -- Follow the instructions given by SES to verify your domain.
Verify your from Email Addresses
This is essential, you are sending email, if someone replies you should be able receive the email back. In your GSuite, create an alias or new user to receive the email address you want to in From when you send your emails.
Verify your email address from SES and you will receive an email to your inbox and confirm your email address. You can also enable DKIM setting along with this process.
Apply to AWS Support that you are going to send production emails.
Now send emails using SES API,
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SES.html#sendEmail-property
Using SMTP from gmail:
If you want to use SMTP from gmail, you can completely skip SES at all,
Use the following packages, enter your gmail credentials and send email.
https://www.npmjs.com/package/nodemailer
https://www.npmjs.com/package/gmail-send
You can also search for other packages online to get the best that simplify your needs.
You also need to need to note, if you use gmail as your outbound email, there may be limits on how many emails you can send outbound.
Also with SES you cannot send spam or non-transactional emails without the consent of the user. Make sure you follow all those standards.
Hope it helps.
I run a SaaS with multiple subdomains and with the option for customers to use their own domains too.
This means, that we host eg:
customer1.ourdomain.com
customer2.ourdomain.com
www.customer3.com
www.customer4.com
When creating a certificate through ACM, I have to confirm the new certificate for all domains, that's fair, as I can live with that.
But our customers can't live with confirming their domain everytime we add a new certificate (since we still can't update/add domains to an existing cert.).
My question is, can I, somehow intercept the mails that are being send out, when the domains has to be confirmed?
Of cause I can't always get their mails, but just for eg. hostmaster#customer3.com
The domains can be moved to Route 53 if needed, the customers usually have had them in a long time, hosted somewhere else. We usually just make a CNAME to our ELB.
How do other people deal with this?
Best regards, thanks in advance
Currently, you have two options here:
Firstly, AWS allows you to configure the base domain name to which you want the validation email to be sent. For instance, you are requesting SSL for subdomains like *.customer1.ourdomain.com or *.customer2.ourdomain.com you can specify ourdomain.com as the validation domain.
Can I configure the email addresses to which the certificate approval
request is sent? No, but you can configure the base domain name to
which you want the validation email to be sent. The base domain name
must be a superdomain of the domain name in the certificate request.
For example, if you want to request a certificate for
server.domain.example.com but want to direct the approval email to
admin#domain.example.com, you can do so using the AWS CLI or API. See
ACM CLI Reference and ACM API Reference for further details.
To enhance this process even further you can try acmagent pip library to automate you SSL confirmation
pip install acmagent
Requesting SSL
$ acmagent request-certificate --domain-name *.dev.example.com --validation-domain example.com
12345678-1234-1234-1234-123456789012
Approving SSL
$ acmagent confirm-certificate --certificate-id 12345678-1234-1234-1234-123456789012
More examples can be found here.
The second option is to create a MX record in the hosted zone pointing to the SES service and use Lambda function to parse the confirmation email body. I found an existing project that looks like is doing this already: aws-acm-certificate-request-approver
Hopefully, that helps.