I've deployed an AWS Gateway in eu-west-1 using regional mode which works fine directly using the generated hostname.
To enable a Custom Domain Name, I've created a certificate in us-east as per the note in the Custom Domain Name portal on the console:
To use your own domain name for an API and Stage, create a Custom Domain Name backed by an ACM certificate. Add Base Path Mappings to map a URL to an API and Stage. You can leave the path empty to use the root (no additional mappings will be allowed) and you can leave the Stage empty to specify it in the URL (e.g. www.example.com/my-base-path/MyStage). To use an ACM certificate with API Gateway, you must request or import the certificate in the US East (N. Virginia) region.
I've then created a Custom Domain Name and a CNAME record using the endpoint given in the Custom Domain Name portal.
When I then try to connect using my hostname, my browser correctly resolves the CNAME but I get Invalid certificate chain error. The certificate returned is in fact for *.execute-api.eu-west-1.amazonaws.com.
This worked fine when I was using edge-based deployments.
Ignore the message in the console that the certificate needs to be deployed in us-east. That's only applicable for Edge based deployments.
For regional deployments, you must create the certificate via ACM in each region you're deploying to.
Related
I have existing hosted zone and A record in AWS route 53. The A record is pointing to cloudfront distribution.
lets say the hosted zone name is abcd.ci.example.io. The A record name is same as hosted zone. I can access the web site at abcd.ci.example.io without any issue.
I also have AWS Gateway API with invoke url https://xxxxx.execute-api.us-west-2.amazonaws.com/dev I can access a particular API route from the browser using invoke url https://xxxxx.execute-api.us-west-2.amazonaws.com/dev/v1/healthcheck
I want to assign a custom domain name to invoke url. So I created a new CNAME record in the hosted zone as api.abcd.ci.example.io and set the value to https://xxxxx.execute-api.us-west-2.amazonaws.com/dev
But then when I try to access a route using https://api.abcd.ci.example.io/v1/healthcheck I get error This site can’t be reached
A simple command line ping to api.abcd.ci.example.io also returns error as Ping request could not find host api.abcd.ci.example.io. Please check the name and try again.
Below is list of records in hosted. There are couple of acm validation records as well for both the domains.
Before API Gateway will let you point your custom domain to it, you first have to setup the custom domain in API Gateway, which includes setting up the SSL certificate API Gateway will use for that custom domain.
Steps I've taken so far:
I've deployed a lambda function which got me to this endpoint https://#############.amazonaws.com/dev/{action} (using serverless)
I've setup a certificate with AWS Certificate Manager for my subdomain. Added the CNAME name & value to my DNS info at my domain name provider and after a while the certificate was issued.
I've setup AWS API Gateway -> Custom Domain names -> Added my subdomain and added an API mapping.
Now I'm stuck I've tried several things:
A. DNS settings at my domain provider: Pointed my a subdomain using "cname" to the endpoint of the lambda function.
B. Looked at AWS Route 53 and tried several combinations... adding the domain and a subdomain / adding the subdomain directly and tried to set the dns settings for my subdomain at my domain provider to "aws route 53" with a record / cname / ips / txt etc...
To assign custom domain name to API gateway, you should assign Alias record. Look here https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-api-gateway.html
But from what you've written I'm not sure if you created Lambda function with connected API Gateway or Lambda with function URL. The difference is well defined here https://www.serverless.com/blog/aws-lambda-function-urls-with-serverless-framework
I have a aws api gateway hosted in mumbai(ap-south-1). I am trying to add a custom domain to the endpoint.
I created a ACM certificate in the same region and created a Custom Domain Name in the api gateway. The api gateway allowed me to use the ACM certificate only in regionalised(ap-south-1) endpoint configuration and not edge(us-east-1) optimised configuration. This is resulting in a target domain in the format as
*.ap-south-1.amazonaws.com
and not in the cloudfront format like
*.cloudfront.net
After creating the custom domain name(api.mydomain.com) I tried to add it to the hosted zone in route53.
When I try to Create Record Set using target domain in above format(*.ap-south-1.amazonaws.com), I am getting an error
The record set could not be saved because:
- Alias Target contains an invalid value.
I tried by creating the certificate in us-east-1 and creating an edge optimised endpoint. Here I got the cloudfront endpoint. But when I try to access the endpoint, I am getting forbidden exception.
Found that we have to use the certificate from us-east-1(N. Virginia) region and get the cloudfront endpoint it self. I am not sure why they allow regional endpoints if they don't support them in route 53.
For the forbidden error I was not using the correct url(used v1 in endpoint creation).
I have seen many posts on this topic, but I have not been able to resolve the issue, so I am posting my setup in case anyone knows what needs to be changed?
I have a domain purchased through Namecheap. I have set custom DNS and added 4 name servers generated by the hosted zone in AWS Route 53. DNS lookup through whois.net shows the correct values.
In Route 53, I have added an A record to the Alias Target xxxxxxxxxxxxxx.cloudfront.net. So the traffic hits Route 53 and goes to CloudFront.
In CloudFront, I have one distribution. As Alternate Domain Names (CNAMEs), I have the following values:
*.domain.com
www.domain.com
domain.com
Under origins, I have one record with the following Origin Domain Name:
domain.com.s3-website.az-name-1.amazonaws.com
I am hosting website in an S3 bucket. All HTTP requests are set to redirect to HTTPS.
Lastly, I have created and verified a single certificate for the following domain names: domain.com, www.domain.com, *.domain.com
I have read some answers that I should just wait and the custom SSL certificate option will become enabled. It's been more than day now, however, and there is no sign of that happening.
My website works, but the misconfigured certificate (using the default *.cloudfront.net) throws a warning popup in Safari, and worse, a warning page in Chrome which most people are not going to bypass.
To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
CloudFront is not a regional service like most of the others. It's a global service with a single home region -- us-east-1. It can't see ACM certificates in any other region (you'd create certificates in other regions if you wanted to use them with Elastic Beanstalk or Elastic/Application Load Balancers).
From the description of what you observe, you didn't create the ACM certificate in us-east-1.
Create a new cert in us-east-1, and the option to use it should become available almost immediately in CloudFront.
I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.
UPDATE
I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?
UPDATE2
I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:
curl -L -i -v https://sub.mydomain.com/
NOTE: It seems this method doesn't work anymore as AWS now only accepts certificates from certain authorities. I haven't tested it myself, but the answer by Gunar looks promising.
There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:
API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.
There is a solution, however. Here are the steps that I followed when I recently set this up:
Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.
That's it. Enjoy your new highly available API served from your custom domain!
Set up Amazon's API Gateway Custom Domain with CloudFlare
In your AWS management console go to the API Gateway service and select Custom Domain Names from the left menu.
Click the Create button.
Log into CloudFlare, select your domain and open the Crypto tab
Go to SSL and set your SSL mode to "Full (Strict)" to avoid a redirect loop.
Go to Origin Certificates and click Create Certificate
Let CloudFlare generate a private key and a CSR and choose RSA as the private key type
Make sure that the hostname for your custom API domain is covered. (e.g. api.mydomain.com. You can specifically configure this custom domain or use a wildcard such as *.mydomain.com as is configured by default.
Pick PEM as the key format which is selected by default.
In AWS switch to region US-EAST-1 and goto the Certificate Manager.
Click Import a Certificate.
Copy the certificate body from your CloudFlare certificate to Certificate body to the configuration of the custom domain in the AWS Management Console.
Copy the Private key to the certificate private key field in the console
In the certificate chain copy the Cloudflare Origin CA - RSA Root which can be found here.
Enter your custom domain name in the AWS console and a name for your certificate
Now the custom domain name will be created in AWS CloudFront. It can take up to an hour before the domain becomes active.
The next thing you need to do is set up the mappings of the custom domain in the AWS Console.
The final step is to create a new CNAME Record in CloudFlare to link your domain to the CloudFront url. When you open the settings page of your custom domain in the AWS console copy the Distribution domain name. This is the domain you need to use when creating the new CNAME Record.
Source
I couldn't get any of the other answers to work. So I ended up having AWS generate the certificate instead of using a Cloudflare Origin one. That's because AWS wouldn't accept my Cloudflare certificate, even when the chain was provided. I couldn't see Cloudflare in Mozilla's Certificate Authority list (which is what AWS relies on, according to the docs) so I guess that makes sense.
Here's the outline of my solution:
Create AWS Route53 Zone
Create AWS ACM Certificate (must be in us-east-1) with validation method DNS
Create Cloudflare DNS Record with the output of (2)
Create AWS API Gateway Domain Name
Create Cloudflare DNS CNAME Record pointing '#' (root domain) to the Cloudfront domain name from step (4)
Create AWS API Gateway Base Path Mapping
This should be roughly it. May this help someone. Feel free to ask questions.
Both existing answers to this question are correct, but if the issue still persists even after following these directions perfectly, try going into the API Gateway settings, navigate to "Custom Domain Name" and configure the Base Path Mappings.
This was the missing step that solved all my problems.