0

I'm having some trouble understanding how to replace my imported wildcard cert with an AWS Issued one without taking my site offline. Currently I have an imported SSL certificate in ACM. In the DNS I have a record such as:

*.example.com A Simple - 11.22.33.44

Which redirects any implicit subdomains at a specific place.

I want to issue a wildcard certificate directly in ACM, but to do that I need to create a CNAME record for *.example.com, which apparently is invalid as two records cannot share the same record name.

Is there any way to do this without removing the wildcard DNS record?

Thanks

tom_h
  • 876
  • 2
  • 9
  • 15
  • 1
    In general you can have multiple DNS records for the same name, but you cannot have any other records _with CNAME_ except (metarecords) RRSIG and NSEC*, because such a record's data (like your A) could never be used while the CNAME exists, see https://en.wikipedia.org/wiki/CNAME_record . Why do you think you need a CNAME for `*.example.com`? https://aws.amazon.com/certificate-manager/faqs/ says you need `_TOKEN5.example.com` where TOKEN5 is determined by Amazon, which does not conflict with either `*` or presumably any of your actual subdomain names. But not programming/development. – dave_thompson_085 Jul 01 '22 at 09:37
  • @dave_thompson_085 - thanks, you're absolutely right. I was misreading things - I've added the validation token to the hosted zone now. – tom_h Jul 01 '22 at 10:10

1 Answers1

1

I've never used imported certificates in aws, I directly used certificates issued by AWS (and domains registered in AWS), so maybe I'm wrong.

If I don't remember bad, when you create a certificate in AWS Certificate manager, you choose your domain (mydomain.com), then you add another domain (*.mydomain.com) so all the first level subdomains are covered (and you can add more of them).

Then, in validation method, choose "DNS validation", and AWS generates a set of CNAME to add to your DNS table in Route53, like these:

Domain Name Record Name Record Type Record Value
mydomain.com _[32_chars_alphanumeric_string].mydomain.com. CNAME _[another_32_chars_alphanumeric_string].asdasdasda.acm-validations.aws.
*.mydomain.com _[32_chars_alphanumeric_string].mydomain.com. CNAME _[another_32_chars_alphanumeric_string].asdasdasda.acm-validations.aws.

At this point you can add them manually to your dns table, or tell aws to do it for you. And you have finished.

In my DNS table I do not need a CNAME with the wildcard for my domain (*.mydomain.com) for the certificate, because I have the records shown above (look at the records names).

I do not know if I have answered your question, I hope this information can be useful to you.

mati
  • 26
  • 4
  • Thank you - yes it turns out I was misreading the documentation. Adding the CNAME with the values provided by amazon allowed the certificate to be issued. For the sake of clarity for anyone else wondering: It's safe to add the record to any hosted zone because it's adding a unique name and value. There's no need to remove existing DNS records to validate a new certificate. – tom_h Jul 01 '22 at 10:22