(certificate manager): cannot use cross-region certificate, cannot get custom domain URL

[revmischa]

Two issues I had trying to set up a custom domain mapping for my ApiGwV2 HttpApi.

1. I cannot use a DNS-validated cross-region certificate from us-east-1 in a different stack. I get [certificate-manager] The certificate provided must be owned by the account creating the domain #9608. Because I have a certificate for CloudFront and also my HttpApi it means I need to create two Certificates, one from us-east-1 and one in my current region, even though the docs strongly suggest that I can use my us-east-1 cert in another region.

    const hostedZone = HostedZone.fromLookup(this, "Zone", {
      domainName: hostedZoneDomain,
    })

    const certificate = new DnsValidatedCertificate(this, "RegionCertificate", {
      domainName: hostedZoneDomain,
      hostedZone,
      // region: "us-east-1",  <---- I want to use this so I can re-use this with my CloudFront dist
    })

2. I cannot figure out how to get the URL with custom domain and base path

    const httpApi = new HttpApi(this, `Api${appName}`, {
      apiName: this.stackName,
      defaultDomainMapping: {
        domainName,
        mappingKey: envName,
      },
    })
    new CfnOutput(this, "ApiBase", { value: httpApi.defaultStage?.url || "unknown" }) // <--- tried httpApi.url too

This just gives me the boring old execute-api URL, not https://foo.com/dev that I want. How can I get a stack output with the custom domain URL?

Environment

• **CDK CLI Version :1.110.0
• Framework Version:
• Node.js Version: 14
• OS :
• Language (Version):

---

This is 🐛 Bug Report

[nija-at]

I've opened a feature request for your second request here - #15801

[nija-at]

Transferring request to certificate manager for your first request.

[njlynch]

@revmischa ,

When/where are you getting the mentioned error with the certificate?

Can you show a minimal repro?

The root cause of the issue you linked was that the related account/region wasn't bootstrapped. There's also #10529, which is another case of ApiGateway + Certificate Manager causing this issue; in that case, the endpoint type had been set to REGIONAL instead of EDGE. Do either of those solutions help?

[revmischa]

I have run cdk bootstrap for this environment and region.

I am doing this to set up the domain mapping:

    new ARecord(this, "ApiDNSv4", {
      zone: hostedZone,
      recordName: domainName.name,
      target: RecordTarget.fromAlias(
        new ApiGatewayv2DomainProperties(domainName.regionalDomainName, domainName.regionalHostedZoneId)
      ),
    })

Taken from the docs. I don't want a regional endpoint but I don't know any other way to define my v2 HTTP API as a route53 alias target.

[njlynch]

@revmischa ,

Sorry for the delay in response here. We apparently have some broken automation around our response-requested label that kept this from coming back into my queue. My apologies.

Re-reading through your initial description, I'm wondering if perhaps I've misinterpreted what you're trying to do:

Because I have a certificate for CloudFront and also my HttpApi it means I need to create two Certificates, one from us-east-1 and one in my current region, even though the docs strongly suggest that I can use my us-east-1 cert in another region.

The docs you linked to above -- for the DnsValidatedCertificate -- allow you to request a certificate cross-region, not necessarily use a certificate in a separate region with any service. The primary use case for this construct is allowing users to request certificates in us-east-1 when their primary stack is elsewhere, for use with CloudFront. It sounds like you want to have a single us-east-1 certificate, and use it with an HttpApi in another region; that (I believe) is not supported by API Gateway.

If my understanding above is incorrect, can you let me know, and provide a minimal repo that shows what you're trying to do?

[revmischa]

Okay got it, I need a certificate in every region I deploy then

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.