I need to update/delete my certificate in the aws certificate manager. However when i try to do so, it says my certificate is being used by
Associated resources
arn:aws:cloudfront::<my-user-id>:distribution/ABC
However, when i navigate to the cloudfront section, there is no cloudfront distribution with that arn.
Does anyone experienced something similiar and knows how to resolve this issue?
Related
I am posting this here to help others facing this problem as I could not find any useful information on the web.
If you have mapped your ACM certificate to an end-point (EC2, ELB, EKS service.. whatever) You will need to enable
CertificateTransparencyLoggingPreference
Else you will get:
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
Error in chrome. To do this via the aws-cli, the command is:
aws acm update-certificate-options --certificate-arn <ARN of ACM certificate> --options CertificateTransparencyLoggingPreference=ENABLED
I have provided the full response from AWS support as the answer, as this contains even more information.
This is Vivek from AWS Containers team. I will assist you on this
case.
From the case description, I understand that you requested an ACM
certificate and created ELB(service load balancer) behind which you
are running nginx pods in EKS cluster example-EKS-CLUSTER-dev.
When accessing the site https://test-aws.example.co/ from browser you
are getting error as below:
Error: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
You would like to use a third party CA such as lets encrypt to issue
free SSL certificate for your domains. You do not want to move the
domain to Route53.
You wish to know how to to do this and achieve https.
Please let me know if my understanding is correct.
Regarding the error ERR_CERTIFICATE_TRANSPARENCY_REQUIRED, this error
is thrown by Chrome browser when it can not find CT(certificate
transparency) logs.
For Google Chrome to trust the certificate, all issued or imported
certificates must have the SCT information embedded in them.
By default ACM logs all new and renewed certificates. However, it
provides option to opt out from AWS API or CLI.
You may find more about this on link [1].
I checked the load balancer mapped to the domain “test-aws.example.co”.
It is mapped to ELB
abce6962e05794f36a23435db3f1837d-1755308045.eu-west-2.elb.amazonaws.com
which uses ACM certificate
arn:aws:acm:eu-west-2:150737547637:certificate/f932b11d-af17-4023-be41-045c6fcc5e86
I checked this certificate and found that the option
“CertificateTransparencyLoggingPreference” is disabled.
You may enable transparency on the certificate to fix the issue by
running following command:
aws acm update-certificate-options --certificate-arn --options
CertificateTransparencyLoggingPreference=ENABLED
Once the certificate is updated with
CertificateTransparencyLoggingPreference as enabled, the issue will
resolve i.e. you should not longer receive the error
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED when accessing the site
over https.
Regarding your other query, i.e. how to use a third party certificate
such as LetsEncrypt with ELB for https, you may obtain the desired
certificate(get it issued from desired CA) and import it in ACM or
IAM. Once the third party certificate is imported in ACM/IAM, it can
be associated with the https listener of ELB similar to how you
associate certificate issued by ACM(by using annotation
service.beta.kubernetes.io/aws-load-balancer-ssl-cert in service
definition yaml with value as the ARN of imported certificate).
Please find the steps to import certificate in ACM on link [2]. The
steps to import a certificate in IAM can be found on [3].
I've got one certificate in ACM which was previously used for having a custom domain at an API Gateway. As I learned here, AWS creates some resources at an internal AWS Account like ELBs which will be attached to the Certificate.
Issue with this is: I deleted the custom domain name & even the API Gateway itself and checked that there are no other resources attached. Still I can't remove the certificate because it's marked as in use:
Associated resources
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-108/8b1...
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-120/fbc...
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-139/6d4...
There are a lot of threads on the AWS forums were the issue was mostly resolved due to the fact that the custom domain name really was not deleted but hidden because the API Gateway was deleted previously & the sidebar is therefore not visible to access the custom domain names. Not the case here.
Are there are any tricks to resolve this besides contacting AWS Support? The issue exists for a more than a few days, so I guess it won't resolve itself.
You can assign AWS ACM certificates to Custom Domain Names in AWS API Gateway. These loadbalancers are not part of your own AWS Account but are hosted by AWS hence the other-account-id.
Remove the Custom Domain Name or update the Endpoint configuration so it's using another ACM certificate ARN.
Unlike #tpschmidt, I didn't delete my API Gateway, so I don't know if this solution will work for him.
What worked for me was:
Create in API Gateway a temporary new custom domain name, being sure to associate it with the certificate you want to delete.
Delete the very same custom domain name. This presumably forces API Gateway to check if it should also delete the certificate association, which will take a few minutes, and you won't see any progress indicator, so be patient.
Now you can delete the certificate in AWS Certificate Manager.
I'm creating a CloudFront distribution for an S3 bucket. I successfully created it and mapped the DNS. Now I want to use HTTPS for the DNS.
I created a cert via ACM. But the cert is not appearing in the CloudFront Custom SSL pge.
Any ideas why?
I was able to accomplish the task, however, this is not the answer to the question.
I pasted the certificate ARN to the Custom SSL field and updated the CloudFront distribution. By this way, I was able to add SSL to my custom domain. However, my certificate still not appears in the Drop down menu.
Pls verify whether the certificate is created in us-east-1 region. Cloud front can use certificates that are created in that specific region.
I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.
UPDATE
I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?
UPDATE2
I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:
curl -L -i -v https://sub.mydomain.com/
NOTE: It seems this method doesn't work anymore as AWS now only accepts certificates from certain authorities. I haven't tested it myself, but the answer by Gunar looks promising.
There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:
API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.
There is a solution, however. Here are the steps that I followed when I recently set this up:
Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.
That's it. Enjoy your new highly available API served from your custom domain!
Set up Amazon's API Gateway Custom Domain with CloudFlare
In your AWS management console go to the API Gateway service and select Custom Domain Names from the left menu.
Click the Create button.
Log into CloudFlare, select your domain and open the Crypto tab
Go to SSL and set your SSL mode to "Full (Strict)" to avoid a redirect loop.
Go to Origin Certificates and click Create Certificate
Let CloudFlare generate a private key and a CSR and choose RSA as the private key type
Make sure that the hostname for your custom API domain is covered. (e.g. api.mydomain.com. You can specifically configure this custom domain or use a wildcard such as *.mydomain.com as is configured by default.
Pick PEM as the key format which is selected by default.
In AWS switch to region US-EAST-1 and goto the Certificate Manager.
Click Import a Certificate.
Copy the certificate body from your CloudFlare certificate to Certificate body to the configuration of the custom domain in the AWS Management Console.
Copy the Private key to the certificate private key field in the console
In the certificate chain copy the Cloudflare Origin CA - RSA Root which can be found here.
Enter your custom domain name in the AWS console and a name for your certificate
Now the custom domain name will be created in AWS CloudFront. It can take up to an hour before the domain becomes active.
The next thing you need to do is set up the mappings of the custom domain in the AWS Console.
The final step is to create a new CNAME Record in CloudFlare to link your domain to the CloudFront url. When you open the settings page of your custom domain in the AWS console copy the Distribution domain name. This is the domain you need to use when creating the new CNAME Record.
Source
I couldn't get any of the other answers to work. So I ended up having AWS generate the certificate instead of using a Cloudflare Origin one. That's because AWS wouldn't accept my Cloudflare certificate, even when the chain was provided. I couldn't see Cloudflare in Mozilla's Certificate Authority list (which is what AWS relies on, according to the docs) so I guess that makes sense.
Here's the outline of my solution:
Create AWS Route53 Zone
Create AWS ACM Certificate (must be in us-east-1) with validation method DNS
Create Cloudflare DNS Record with the output of (2)
Create AWS API Gateway Domain Name
Create Cloudflare DNS CNAME Record pointing '#' (root domain) to the Cloudfront domain name from step (4)
Create AWS API Gateway Base Path Mapping
This should be roughly it. May this help someone. Feel free to ask questions.
Both existing answers to this question are correct, but if the issue still persists even after following these directions perfectly, try going into the API Gateway settings, navigate to "Custom Domain Name" and configure the Base Path Mappings.
This was the missing step that solved all my problems.
For testing purposes, would it be possible to create a certificate without a domain name? http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
According to the above documentation I can, "if you don't own a domain name, you can still use HTTPS with a self-signed certificate for development and testing purposes," but I can't seem to figure out how exactly to go about doing so.
Further research tells me I can assign a SSL Certificate ID: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
But when I followed the directions, my dropdown for the SSL certificate ID was empty. I figured I would need to create and upload a certificate first.
I have found this documentation concerning the creation of an SSL certificate: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html
After following the instructions, I can't seem to upload the certificate on the EC2 instance. This is the documentation I am following to upload the SSL certification, http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl-upload.html
I keep receiving this error when I try to upload it from the EC2 instance:
A client error (AccessDenied) occurred when calling the UploadServerCertificate operation: User: arn:aws:sts::172656543253:assumed-role/aws-elasticbeanstalk-ec2-role/i-62a85ce6 is not authorized to perform: iam:UploadServerCertificate on resource: arn:aws:iam::172656543253:server-certificate/elastic-beanstalk-x509
I'm guessing it has something to do with IAM roles, but I'm not entirely sure and don't really know where to begin. Any help would be appreciated. Thank you.
Please see this SO answer for one way to enable https for elastic beanstalk. (In the AWS Management Console for EC2 under 'Load Balancers'-> Listeners add the certificate to be able to use it within Elastic Beanstalk.)
Now that AWS has support for ACM in all regions it's much easier to get it working because you only need to create a certificate and then reference it. ACM certificates are usually only available in the region they were issued.
Unfortunately I have nothing to add to your main question concerning SSL without a domain name.