By using AWS re:Post, you agree to the Terms of Use
/AWS Certificate Manager/

Questions tagged with AWS Certificate Manager

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

ACM Cert Renewal Problem when GoDaddy is the Registrar

I recently received an email from AWS saying that my cert was about to expire and that since I had email validation turned on they had sent me a separate email with a link to verify renewal. I never received the separate e-mail. My domain is hosted on Route53 but GoDaddy is the registrar. I finally figured out that since ACM uses the email addresses in the whois records as the authoritative e-mail address for validating cert renewals, it doesn't work with certain godaddy domain configurations. At godaddy, I had their privacy features turned on. I finally figured out that godaddy has stopped putting valid email addresses into whois records and instead puts links to the godaddy web site in those whois fields. That means that any emails sent from ACM will never arrive or will silently fail to send. I worked around the problem by briefly turning off domain privacy at godaddy, then having ACM resend the emails, then turning privacy back on. But as long as godaddy doesn't write valid email addresses in the whois records ACM email validation won't work for domains registered at godaddy ***that have privacy turned on***. This is actually a godaddy bug, but it bites anyone who is hosting their zone at route53 and using ACM certs. In the past, godaddy would write a valid email address in whois records (e.g. foo.com@domainsbyproxy.com) and forward emails sent to that address to the domain name owner. Not anymore. I'm just posting this here for the benefit of anyone who has a domain registered at godaddy but is using ACM certs on AWS.
0
answers
2
votes
22
views
asked 4 days ago

CDK Route 53 zone lookup brings back wrong zone ID

We are attempt to update our IaC code base to CDK v2. Prior to that we're deploy entire stacks of our system in another test environment. One part of a stack creates a TLS certificate for use with our load balancer. ``` var hostedZone = HostedZone.FromLookup(this, $"{config.ProductName}-dns-zone", new HostedZoneProviderProps { DomainName = config.RootDomainName }); DnsValidatedCertificate certificate = new DnsValidatedCertificate(this, $"{config.ProductName}-webELBCertificate-{config.Environment}", new DnsValidatedCertificateProps { HostedZone = hostedZone, DomainName = config.AppDomainName, // Used to implement ValidationMethod = ValidationMethod.DNS Validation = CertificateValidation.FromDns(hostedZone) }); ``` For some reason, the synthesised template defines the hosted zone ID for that AWS::CloudFormation::CustomResource has *something else other than the actual zone ID* in that account. That causes the certificate request validation process to fail - thus the whole cdk deploy - since it cannot find the real zone to place the validation records in. If looking at the individual pending certificate requests in Certificate Manager page, they can be approved by manually pressing the [[Create records in Route 53]] button, which finds the correct zone to do so. Not sure where exactly CDK is finding this mysterious zone ID that does not belong to us? ``` "AppwebELBCertificatetestCertificateRequestorResource68D095F7": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AppwebELBCertificatetestCertificateRequestorFunctionCFE32764", "Arn" ] }, "DomainName": "root.domain", "HostedZoneId": "NON-EXISTENT ZONE ID" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "App-webELBStack-test/App-webELBCertificate-test/CertificateRequestorResource/Default" } } ```
1
answers
0
votes
13
views
asked a month ago
2
answers
0
votes
22
views
asked 2 months ago

Horizontal Scaling concerns, SSL issue with NLB

note: I'm new to scaling and firstly seeking advice on the best practices for horizontal scaling **I have the following setup:** *EC2 Instances <-> ASG(created from Launch template) -> TG <-> ALB <-> TG <-> NLB* Traffic flows through NLB to ALB and finally to EC2 instances configured via ASG. note: I'm assuming the above setup is the best one to go with horizontal scaling, if not please let me know. the above setup works fine for HTTP whereas when I try to configure HTTPS, I don't see options to do so. Issue1: Target Group(TG) doesn’t allow to create one with Load Balancer type with TLS port: 443 but allows only TCP: port 80, **Question1: **how else should I redirect HTTPS traffic to ALB? note: I need NLB because ALB doesn't provide Static IPs **Question2:** wrt Static IPs: NLB doesn't allow <2 AZs which means I need to have 2 Static IPs linked to my domain? any inputs would be really helpful! **Update1:** I've configured like below: In ALB listeners: HTTP(80) gets redirected to HTTPS HTTPS(443) gets forwarded to ASG In NLB listeners: HTTP(80) gets forwarded to ALB note: ALB's public URL is added to my domain(sample-alb.domain.com) NLB's public URL is added to my domain(sample-nlb.domain.com) SSL works fine if the user enters by hitting sample-alb.domain.com whereas if the user enters by hitting sample-nlb.domain.com, it always fails with "ERR_CERT_INVALID" any inputs on why this fails? **Update2:** I've got the answer to my Issue1/Question1 on how to redirect HTTPS traffic to ALB from here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#configure-application-load-balancer-target > **Listeners and routing** > For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. > > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. so, I created a TG with TCP port 80 and listener to NLB, which redirects to ALB. (say for ex my NLB's public URL is 'nlb34323.amazonaws.com') now, when I hit my NLB's public URL with 'http://nlb34323.amazonaws.com', it does get redirected to 'https://nlb34323.amazonaws.com', but eventually fails with a timeout error. note: whereas when I hit ALB's public URL, it is working fine does it have anything to do with TLS termination as mentioned in the above documentation: > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. what am I doing wrong here?
2
answers
0
votes
15
views
asked 2 months ago
1
answers
0
votes
24
views
asked 4 months ago

Exam Revoked After PASSING - Bad Experience with PSI Online (AWS Solution Architect Associate Exam)

I want to report an extremely bad experience giving the AWS Solution Architect Associate (SAA-C02) exam on 01/22/2022. Apologies if this is not the right place to post this experience as I did not find any other forum to post exam-related experiences. I appeared for AWS Certified Solutions Architect - Associate (CONFIRMATION NUMBER: G81923108) on 01/22/2022. I was able to start the exam after 30 minutes of struggle in getting the PSI software loaded and working. I followed all the guidelines and requirements of the proctor and gave my full 130-minute attention to the exam. After completing the exam, I submitted the exam for the result and was very happy to see the screen "Grade: PASS. Congratulation! You have successfully passed the AWS Certified Solutions Architect .... Within 5 business days, you will receive an email stating your exam result ......" After that, I thought that the exam is now over, as I sat for another 30 seconds and did not see any notification from Proctor or any other dialog on the PASS result screen. I took the photo of the screen from my mobile to keep it for my records so that I don't lose my result and have proof. Right then I saw a screen stating your exam is terminated due to a violation of taking photos and within 10 seconds screen closed. I called PSI and explained the matter that I completed the exam and saw the result on the screen as "PASS". Only after that, I take the picture. They opened a ticket but says you need to contact AWS for resolution. This is a very frustrating situation as after 9 days, today 02/01, and I gave exam on 01/22, there is no update on the AWS certification page and also no update on the PSI website related to the result. It's not acceptable for AWS/PSI to make candidates suffer and lose belief in the certification process.
4
answers
0
votes
1476
views
asked 5 months ago
  • 1
  • 90 / page