AWS Certificate Manager (ACM) is a service on AWS that lets developers request SSL certificates for domains, often free of charge. The process is even easier for domains hosted in Route 53 since they allow you to easily add the validation records directly into the domain.
Prerequisites
- A domain registered on Route 53.
Process
Navigate your AWS Console to ACM and click "Request a certificate".
Under Certificate type, select "Request public certificate", then "Next".
In the following form, set the following:
- Under "Fully qualified domain name", enter the domain you want to register a certificate for.
- Validation method: "DNS Validation"
- Key algorithm: "RSA 2048"
- Select "Request" at the bottom of the form.
The following certificate details screen will show the details of the certificate being requested. Once the Domains section loads, select "Create records in Route 53".
Find your domain from Route 53 and click "Create records". Mine is grayed out since I already validated my domain in AWS.
Once the records are created, wait a few minutes and refresh the certificate details screen. You should now have a certificate to use.
This method can be used for specific subdomains or even a wildcard domain name.
How I use this
I recently updated one of my talks to feature branch-based deployments, similar to how Netlify or Vercel works. As part of the update, I registered a domain with Route 53 and a wildcard certificate to ensure that the branch deployments have SSL.
The demo application is deployed via AWS SAM and the ARN for the wildcard certificate is passed into the build process as a parameter. This lets me dynamically register subdomains with Route 53 and use the wildcard certificate that was created manually.
The Name value concatenates the value of EnvironmentParam onto the main domain. So if the parameter is "mycoolsubdomain" it will create a record named "mycoolsubdomain.guardianforge-r53.net".
Resources:
Subdomain:
Type: AWS::Route53::RecordSet
Properties:
# 👉 The ID of the domain in Route 53
HostedZoneId: Z04847192KADNUAMJT9ZV
# 👉 The CNAME to register in Route 53
Name: !Join [ "", [!Ref EnvironmentParam, ".guardianforge-r53.net"]]
# 👉 Record type
Type: CNAME
# 👉 TTL value
TTL: 900
ResourceRecords:
# 👉 The value of the record, references my Cloudfront CDN distribution
- !GetAtt CloudfrontCdn.DomainName
In the Cloudfront resource, the same CNAME is set as the alias for the distribution, along with using the ARN of the cert under "ViewerCertificate" > "ArcmCertificateArn".
CloudfrontCdn:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
# 👉 Here is where the subdomain is set as the alias
- !Join [ "", [!Ref EnvironmentParam, ".guardianforge-r53.net"]]
DefaultRootObject: index.html
Origins:
- Id: !Join ["-", ["S3-GuardianForge", !Ref EnvironmentParam]]
DomainName: !GetAtt SiteBucket.RegionalDomainName
OriginPath: "/app"
S3OriginConfig:
OriginAccessIdentity: ''
DefaultCacheBehavior:
TargetOriginId: !Join ["-", ["S3-GuardianForge", !Ref EnvironmentParam]]
ViewerProtocolPolicy: redirect-to-https
ForwardedValues:
QueryString: false
AllowedMethods:
- HEAD
- GET
CachedMethods:
- HEAD
- GET
CustomErrorResponses:
- ErrorCode: 403
ResponsePagePath: /index.html
ResponseCode: '200'
ErrorCachingMinTTL: 10
- ErrorCode: 404
ResponsePagePath: /index.html
ResponseCode: '200'
ErrorCachingMinTTL: 10
Comment: !Join ["-", ["GuardianForge", !Ref EnvironmentParam]]
PriceClass: PriceClass_All
Enabled: true
HttpVersion: http2
ViewerCertificate:
# 👉 And here is where the CertArnParam is used to use the SSL cert
AcmCertificateArn: !Ref CertArnParam
SslSupportMethod: sni-only
MinimumProtocolVersion: TLSv1.2_2019
🤗 If you are interested in more content like this and want to support me, consider joining my newsletter!
Top comments (2)
You are doing great
Thank you 😊