1

I have access to a number of AWS accounts belonging to a client, and would like to set up a public certificate using DNS validation. I believe this means I also need to set up DNS too.

I have two accounts:

  • dsc-staging (contains new cert, local DNS for subdomain)
  • eds-staging (contains root of new subdomain)

The new cert/DNS shall be:

gatekeeper.s.aws.example.com

This is set up in account dsc-staging. I have gone through the "DNS validation" option, and it says that it is pending. To start with there is no DNS for this name in either account, so this would eventually fail if left like that.

So, in the same account, I have created a HostedZone in Route 53, which creates default NS and SOA records.

Now, in the other account, eds-staging, there are existing records for:

  • s.aws.example.internal (NS record with four rows in a single value)
  • s.aws.example.internal (SOA record)

I have added the validation record in here, as a CNAME. (I am informed that it would be OK to have put the validation record in the local Route 53, but I have chosen for now to do it here).

Now, I believe that I need to inform AWS how to connect gatekeeper.s.aws.example.com with the known internal name s.aws.example.internal, which already exists, and is used by other things. I believe the process of connecting the two is called "delegation". I was given some instructions to take the NS records from the local account for gatekeeper.s.aws.example.com and copy them to the parent domain s.aws.example.internal in the other account.

However, the AWS UI in Route 53 seems to disallow adding another NS record - is it because one already exists? If so can I just add my four records under the existing four (ie. in the same record)?

I believe that if I wire up this DNS so that it is resolvable, the certificate will automatically become validate-able, and that will happen automatically. Is this assumption correct?

James Adams
  • 8,448
  • 21
  • 89
  • 148
halfer
  • 19,824
  • 17
  • 99
  • 186
  • Ah, my first error has been pointed out to me - I am editing the wrong Hosted Zone on the second account! `s.aws.example.internal` is a private zone, and I should have been looking at `s.aws.example.com` instead. Obvious when one thinks about it! – halfer Mar 12 '21 at 17:41

1 Answers1

2

I would break it down like this:

  1. Register or transfer the domain to your AWS master billing account. This is the only account that registers domains.

  2. In each sub account eg dev prod, create a R53 hosted zone for the top level domain provisioned in step 1. Make sure the NS servers in step 1 are assigned to the zone here. Pay close attention that they agree both on name AND number of servers - usually 4.

  3. Create a ACM cert request for the root AND wild card domain EG example.com and *.example.com. Request DNS validation. Key here is to include the wild card. This means it will work for any host name in the domain.

  4. In ACM, request that the service create the R53 validation DNS records for you. This is only possible if you have done step 2 in the same account.

  5. Wait for approval. It can take a few mins, to all day. Check back every hour or so.

This process, if followed exactly, will always provide a validated ACM cert that works for any AWS supported service, for both the root domain and any subhost under it.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • This is great, thanks. Out of interest, once the certificate has been created, can I then delete the DNS entries that validated it, and have the cert still remain valid? I ask because I have some CDK to set up a system, and it is complaining that `gatekeeper.s.aws.example.com already exists in stack`. I think I just need to create the cert manually (since it needs validation) and then I can do everything else in code. – halfer Mar 12 '21 at 23:30
  • I tend to leave them in there. They may be consulted during renewal. But I am not sure about this. – Rodrigo Murillo Mar 13 '21 at 02:11
  • 1
    Fair enough. I will try deleting it manually, to see if my CDK creation of the same re-creates it in a Stack context. I hope that if the DNS record is required for renewal then it will use the Stack version and not the manually-created one. – halfer Mar 13 '21 at 12:50