AWS allows validation of Certificate Manager certificates by creating DNS records. When the domains are managed by Route53, CloudFormation will take care of the maintenance of the DNS records. This approach is faster and less error-prone than the e-mail-based approach we offer here.
For this reason we will no longer maintain this repository. It will archived and thus be read-only.
Right now, it's hard to automcatically retrieve a verified SSL/TLS certificate from AWS Certificate Manager via CloudFormation, because you need to have at least a admin email address on one of your super domains. The solution provided here automates this process by managing the CloudFormation-unfriendly SES related stuff.
- SES for Identity Management:
- A lambda function (calling
ses_domain_identity.py) creates the subdomain (parameterdomain) in an existing super-domain (parameter `hostedZoneName) - lambda function is returning the verification token for TXT record
- A lambda function (calling
- SNS Topic for receiving approval emails
- lambda function (
ses_wait_for_verification_and_create_rule_set) is used to create a SES rule set to forward the certificate approval email to SNS - lambda function (
process_cert_manager_mail) is triggered by SNS events and verifies the certification request by parsing the email to get the approval link and finally "clicking on it" via http post request
- lambda function (
See AWS::CloudFormation::Stack documentation.
To retrieve a SSL certificate for subdomain.mydomain.com you have to have a
Route53 Hosted Zone for a
super domain (e.g. mydomain.com) which is needed to create DNS records for your domain.
Then you can use the following YAML snippet to retrieve the verified SSL certificate:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
SSLCertificate:
Type: "AWS::CloudFormation::Stack"
Properties:
Parameters:
domain: subdomain.mydomain.com
hostedZoneName: mydomain.com. # your hosted domain
TemplateURL: "https://s3-eu-west-1.amazonaws.com/is24-infrastructure-public/cloudformation/verified-ssl-certificate/ssl-certificate.template.yaml"Output parameters are:
| Parameter Name | Description |
|---|---|
| Arn | ARN of the verified SSL certificate |
| sslCertificateArn | ARN of the verified SSL certificate |
To reference the SSL certificate you can use the following snippet:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
LoadBalancerListenerHttps:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref LoadBalancer
Port: 443
Protocol: HTTPS
DefaultActions:
- Type: forward
TargetGroupArn: !Ref TargetGroup
Certificates:
- CertificateArn: !GetAtt SSLCertificate.Outputs.ArnDeploy the example stack like this
aws cloudformation create-stack \
--stack-name my-ssl-stack \
--template-body file://$(pwd)/ssl-certificate.template.yaml \
--parameters \
ParameterKey=domain,ParameterValue=my-domain.example.com \
ParameterKey=hostedZoneName,ParameterValue=example.com. \
--capabilities CAPABILITY_IAMWe provide the templates ready for you:
- Template:
s3://is24-infrastructure-public/cloudformation/verified-ssl-certificate/ssl-certificate.template.yaml - Lambda Code:
s3://is24-infrastructure-public/cloudformation/verified-ssl-certificate/labda_functions.zip
- Template:
s3://is24-infrastructure-public/cloudformation/verified-ssl-certificate/<commit-hash>/ssl-certificate.template.yaml - Lambda Code:
s3://is24-infrastructure-public/cloudformation/verified-ssl-certificate/<commit-hash>/labda_functions.zip
# buid an deploy code to your development bucket
./deploy.sh s3://my-dev-bucket/my-prefix false
# deploy stack with development version
aws cloudformation create-stack \
--stack-name my-ssl-stack \
--template-body file://$(pwd)/ssl-certificate.template.yaml \
--parameters \
ParameterKey=domain,ParameterValue=my-domain.example.com \
ParameterKey=hostedZoneName,ParameterValue=example.com. \
ParameterKey=lambdaCodeS3Bucket,ParameterValue=my-dev-bucket \
ParameterKey=lambdaCodeS3Key,ParameterValue=my-prefix/lambda_functions.zip \
--capabilities CAPABILITY_IAM