DEV Community

loading...

Generating ACM certificates for a Vercel-managed domain.

wulfmann profile image Joseph Snell ・2 min read

When you use Vercel to manage your DNS records, they generate SSL certificates for you.

I want to manage my DNS with Vercel, but still need an ACM Certificate in my AWS account. I've done this before with Route 53, but with Vercel I kept seeing mysterious failures.

After trying Email Validation, I switched to DNS Validation. I still got errors, but this time I got more information:

The status of this certificate request is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error.

After googling around, I found this note:

One or more domain names have failed validation due to a Certification Authority Authentication (CAA) error, check your CAA DNS records..

After going back to my domain in the Vercel dashboard, I found this record:

CAA 0 issue "letsencrypt.org"

Since there is no CAA Record allowing amazon to issue certificates, the request fails.

AWS provides documentation on how to configure a CAA record to allow ACM to generate certs. We need to add an extra record in Vercel:

CAA 0 issue "amazon.com"

Request a new ACM cert and this time it succeeds!

Discussion (3)

pic
Editor guide
Collapse
aecorredor profile image
Alejandro Corredor

Thanks for that. That's exactly what I was missing. After going through that and setting the path mappings for your API, did you run into any other issues? I'm still not seeing anything on my custom endpoint. I already added a CNAME record on Vercel's side to also point the domain to the api gateway execution domain.

Collapse
wulfmann profile image
Joseph Snell Author

I don't recall having any other issues. So you're routing a CNAME record to an API Gateway and when you make a request to it, the api isn't hit?

Collapse
aecorredor profile image
Alejandro Corredor

Nvm, I had missed adding the API gateway CNAME record to Vercel.