AWS API gateway refuses to allow me to associate a custom domain to a certificate. However, it allowed me to associated the certificate just fine to another domain. The certificate is a wildcard cert. A picture is worth a thousand words:
On April 2019, There is some enhancement for CloudFront about the security for adding alternate domain names to a distribution.
It seems that the self-signed certificate is not allowed after the enhancement.
Amazon CloudFront enhances the security for adding alternate domain names to a distribution
The certificate must be valid and come from a publicly trusted Certificate Authority like AWS Certificate Manager which provides public SSL/TLS certificates for free.
Related
So, I've been trying to add my own domain to AWS API Gateway, but cannot add an ACM certificate. Even though I was issued a certificate from the AWS Certificate Manager, I can’t select it from the “Choose a certificate” drop-down selector. It only says “No certificates in eu-west-3 match the domain name you entered”.
Within the AWS Certificate Manager, I see that the status is ”Issued”. What am I doing wrong here? I must be missing something.
Information that might be useful:
Domain was bought through Google
The ARN of the certificate contains arn:aws:acm:eu-west-3:…. Also the url of both the API gateway and Certificate Manager console contains eu-west-3
The domain I want to use in API Gateway was pasted from the certificate domain field to avoid any typos.
For what is worth, the domain I want to use is actually a subdomain.
Thanks!!
When issuing the ACM, did you also enter subdomain in the list? Also, its really helpful to issue wild card ACM for domain. eg -
main domain - mydomain.com
sub domain - my.subdomain.com
wild card - *.mydomain.com
With wild card you can map it to any sub domain.
Usually, whenever issuing SSL, it's good to include wildcard asking with main domain. If main domain has different SSL, new wildcard for subdomain should not impact it.
I try to configure https on ALB with default amazon subdomain: some-unique-path.elb.amazonaws.com
The problem is that I can't find how to generate the ssl certificate for this domain: Amazon Certificate Manager does not allow to generate certificates for amazonaws subdomains.
Is there any way to make it without buying custom domain and configuring it for ALB?
To use ACM you must have domain which you control. From docs:
Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must verify that you own or control all of the domain names that you specified in your request.
There are some free domain providers which you could maybe use, but you have to have domain under your control. You can't use some-unique-path.elb.amazonaws.com, because this is AWS-owned domain and you have no rights to it.
I am very new to this and struggling to understand AWS.
I had a single domain foo.mydomain.com. This was registered in Route53. And there was a certificate in AWS Certificate Manager that mapped to it.
Now I have two domains foo.mydomain.com & bar.mydomain.com. I have registered the latter in Route53. And I have requrested and received a new certificate from AWS Certificate Manager. This one maps to both domains (via the "additional names" property).
How can I simply disable the old certificate and enable the new certificate?
I want the values for In use? above to be swapped.
You need to go to the services where you are utilizing these certificates (Load Balancers, CloudFront distributions or API Gateways) and change the certificate they are using there.
AWS Certificate Manager manages the SSL/TLS certificates. In general certificates are configured and consumed on the services like ALB (application load balancer), API Gateway, Virtual Machine, Cloudfront etc. If you would like to update the certificate, modify the configuration on one of the above services as applicable in your case. While changing configuration you have to choose the right certificate from ACM. Once update is successful you will see the status in ACM.
Here is an AWS documentation explains how to install/Update SSL Certificates:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html
I am new on terms of every aspect of SSL certificate.
I have a architecture, where Route53 routes traffic to Load balance.
We are moving to production and we have to implement SSL certification to handle https traffic.
Where should i position the certificate in the architecture?
While searching i sow AWS Certificate Manager.
I am wondering how is it different ?
And when i buy a certificate can i use a single certificate with different account?
(Example: can i have same certificate set up for Staging and multiple production environment)
You can use the ACM to generate certifications for you.
It's totally free, if it's a public certificate, and will automatically renew when it expires.
But some security teams will require you to upload a more advanced certificate than ACM generates for you, in this case, you can buy the certificate and upload it in the ACM service. Keep in mind that it won't renew automatically and when it expires you will have to upload a new certificate.
Where should I position the certificate in the architecture?
It depends on your security requirements, but it's totally fine to create an HTTPS commutation between Client and Load Balancer, and an HTTP communication between Load Balancer and Server. In this case, you will only need a public certificate generated by ACM.
If your security requirements need to create a secure communication end-to-end (e.g. HTTPS communication between LoadBalancer and Server), you will need to install the same private certificate in all servers and upload your private certificate in ACM.
While searching I sow AWS Certificate Manager. I am wondering how is it different ?
The only difference is that you don't need no buy a certificate if you only use in Load Balancers / API Gateway, etc but if you want to download the certificate to install in your on-premise Load Balancer or in the servers, you will have to pay $400 for each certificate.
And when I buy a certificate can I use a single certificate with a different account? (Example: can I have the same certificate set up for Staging and multiple production environments)
Yes, you can. But keep in mind that you will need to create a wildcard certificate to support multiple DNS names.
The preferred service to use is AWS ACM.
You can either upload your own certificate (i.e. purchase it then upload) or have AWS generate and manage it for you.
If you let ACM manage and generate it will regenerate ahead of its expiry and handle the rotation on each attached resource.
It is important to note that an ACM certificate can only be bound to the following resources for HTTP traffic:
ELB
CloudFront
API Gateway
Once it is connected to these you can use SSL offloading (the TLS connection is terminated at the resource rather than the instance) to connecting to the backend resources over plain HTTP.
You should be aware that if you want to serve traffic directly from an EC2 you will not be able to use ACM public CA and instead would limited to one of the following:
Buy certificate and deploy to all servers
Use a service like certbot on each server
In addition you can use certificates that are hosted in IAM but this is considered legacy with less features than ACM.
AWS Certificate manager isn't allowing me to add a 2 level wildcard domain name, which would match x.a.example.com, y.b.example.com etc.
Is there a workaround for this? (instead of creating *.a.example.com, *.b.example.com etc)
Source: http://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
Wildcard Names ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can
protect several sites in the same domain. For example, *.example.com
protects www.example.com and images.example.com.
Note: When you request a wildcard certificate, the asterisk (*) must
be in the leftmost position of the domain name and can protect only
one subdomain level. For example, *.example.com can protect
login.example.com and test.example.com, but it cannot protect
test.login.example.com. Also note that *.example.com protects only the
subdomains of example.com, it does not protect the bare or apex domain
(example.com). However, you can request a certificate that protects a
bare or apex domain and its subdomains by specifying multiple domain
names in your request. For example, you can request a certificate that
protects example.com and *.example.com.
Unfortunately this is not possible/supported.
You can have Subject Alternative Names or SANs in the certificate for named domains: https://geekflare.com/san-ssl-certificate/
Certificate Signing Request or CSR generation would be something like this:
openssl req -new -key my.key -out my.csr -subj "/CN=*.domain.com" -addext "subjectAltName=DNS:one.complex.domain.com,DNS:completely.another.domain.com"
More details here: https://stackoverflow.com/a/16127802/339052
For those who are having issues for multiple sub domain in their certificate.
Source: https://aws.amazon.com/premiumsupport/knowledge-center/associate-ssl-certificates-cloudfront/
You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards. To enable SSL or HTTPS for multiple domains served through one CloudFront distribution, assign a certificate from ACM that includes all the required domains.
To use your own SSL certificate for multiple domain names with CloudFront, import your certificate into ACM or the AWS Identity and Access Management (IAM) certificate store. For instructions, see Importing an SSL/TLS Certificate.