ACM domain validation: Renewal for internal or non public Load-Balancers
A customer is using ACM managed certificates and domain validation. Their load balancers are not publicly reachable (protected by security groups, but this probably applies also to internal load balancers), but for the renewal of the certificates a HTTPS is made from ACM to the domains in the certificate:
"ACM must be able to establish an HTTPS connection with each domain in the certificate."
https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html
The want to be able to automate the renewal process, e.g. they don't want to use email validation.
I wonder why the HTTPS request is necessary at all for DNS validation and renewal (this is in general not required with DNS validation by other certificate providers)
Do we have any workaround for this? E.g. allow a defined IP range from ACM in the security groups?
- Le plus récent
- Le plus de votes
- La plupart des commentaires
As specified in the launch blog post: https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-certificate-manager/ and in the DNS Public Docs: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html
If the customer validates a certificate using DNS:
ACM automatically renews certificates that are deployed and in use with other AWS services as long as the CNAME record remains in your DNS configuration. To learn more about ACM DNS validation, see the ACM FAQs and the ACM documentation.
Establishing a TLS connection to the domain will not be necessary to automatically renew DNS-Validated Certificates as long as the CNAMEs used to initially validate the domain(s) are still reachable via public DNS.
Hope that helps!
Contenus pertinents
- demandé il y a un an
- demandé il y a 7 jours
- demandé il y a 9 mois
- demandé il y a 3 mois
AWS OFFICIELA mis à jour il y a 2 ans- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
