ACM domain validation: Renewal for internal or non public Load-Balancers
A customer is using ACM managed certificates and domain validation. Their load balancers are not publicly reachable (protected by security groups, but this probably applies also to internal load balancers), but for the renewal of the certificates a HTTPS is made from ACM to the domains in the certificate:
"ACM must be able to establish an HTTPS connection with each domain in the certificate."
https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html
The want to be able to automate the renewal process, e.g. they don't want to use email validation.
I wonder why the HTTPS request is necessary at all for DNS validation and renewal (this is in general not required with DNS validation by other certificate providers)
Do we have any workaround for this? E.g. allow a defined IP range from ACM in the security groups?
- Newest
- Most votes
- Most comments
As specified in the launch blog post: https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-certificate-manager/ and in the DNS Public Docs: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html
If the customer validates a certificate using DNS:
ACM automatically renews certificates that are deployed and in use with other AWS services as long as the CNAME record remains in your DNS configuration. To learn more about ACM DNS validation, see the ACM FAQs and the ACM documentation.
Establishing a TLS connection to the domain will not be necessary to automatically renew DNS-Validated Certificates as long as the CNAMEs used to initially validate the domain(s) are still reachable via public DNS.
Hope that helps!
Relevant content
- Accepted Answerasked 6 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
