- Newest
- Most votes
- Most comments
You’re correct, ACM validation of a public TLS certificate issued by ACM requires a public hosted zone or a public domain name (public domain name zone outside Route53) that you own because ACM validates public TLS certificates by either DNS validation or Email and both require a publicly accessible domain name or zone. https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html
Just to recap, what you need to do for generating a public TLS certificate and get it verified by ACM, is the following:
- Using ACM Console, request a public TLS certificate for your public domain name that you will use. Example: api.example.com.
- Choose either DNS validation or Email validation based on your preference.
- Wait for some time until ACM is able to validate the domain ownership.
- Once validated, ACM will be generating the TLS certificate and you can associate it with your ALB/NLB and the API Gateway.
Let me know how it goes and I’ll be happy to assist.
As you stated, private APIs do not support custom domain names. However, there is a workaround: https://serverlessland.com/repos/apigw-private-custom-domain-name
Thanks for your reply. Based on the link you provided it says: “We use a private hosted zone in association with the VPC. The CNAME resolves to the FQDN of the private load balancer, in this example internal-0123-abcd.elb.us-east-1.amazonaws.com. The load balancer terminates TLS with the ACM certificate for private.internal.example.com. For more details, refer to the documentation on private hosted zones.”
Now that implies that I can have a private hosted zone to generate the TLS certificate of my domain name in ACM too, which is confusing, because ACM validation of the TLS requires a public hosted zone and doesn’t work with PHZ. The repo that was shared includes an Email validation method using a PHZ. https://github.com/aws-samples/serverless-samples/blob/main/apigw-private-custom-domain-name/iac/certificate.yaml
I’m a bit puzzled on this part.
Relevant content
- asked 2 years ago
- asked 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thanks for clarifying the ambiguity around public and private hosted zones with respect to TLS generation in ACM. I went through the steps you provided and worked perfectly. It would be nice to have the private API Gateway support custom domain name natively without throwing additional layer of elastic load balancing. Nevertheless, at least we have a working solution. Thank you!