- Newest
- Most votes
- Most comments
It's not possible to validate an ACM public certificate using a domain record in a Route 53 private hosted zone by design.
When you request an ACM public certificate using DNS validation, ACM provides a CNAME record that you must add to your DNS configuration to validate your ownership of the domain. Because anyone can create a private DNS zone and put records on it under any domain name, being able to make a change in a private DNS zone doesn't prove public ownership of the domain.
To issue an ACM managed SSL certificate using a private FQDN, add the DNS validation record to the public zone.
The key here is that ACM validates using SOA records following TLD NS path.
Hi ,thanks for the response. I think this is what I have tried:
Public Hosted Zone: domain.com SOA: ns-2001.awsdns-58.co.uk. awsdns-hostmaster.amazon.com. NS: internal.domain.com ->
ns-1536.awsdns-00.co.uk. ns-0.awsdns-00.com. ns-1024.awsdns-00.org. ns-512.awsdns-00.net.CNAME: verification_host.internal.domain.com A: host.internal.domain.com -> alias to LB
Private Hosted Zone: internal.domain.com SOA: ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. NS: internal.domain.com
ns-1536.awsdns-00.co.uk. ns-0.awsdns-00.com. ns-1024.awsdns-00.org. ns-512.awsdns-00.net.Am I missing something here? This was still pending for more than 1 hour. Usually the changes take for 3-5 minutes until everything is validated...
It is possible to create 2 route53 zones (private/public) with the same names and resolve your certificate by public one.
But you need to take into account routing peculiarities: if you have private and public hosted zones that have overlapping namespaces, such as example.com and accounting.example.com, Resolver routes traffic based on the most specific match. When users are logged into an EC2 instance in an Amazon VPC that you have associated with the private hosted zone, here's how Route 53 Resolver handles DNS queries:
- Resolver evaluates whether the name of the private hosted zone matches the domain name in the request, such as accounting.example.com. A match is defined as either of the following:
-
An identical match
-
The name of the private hosted zone is a parent of the domain name in the request. For example, suppose the domain name in the request is the following:
seattle.accounting.example.com
The following hosted zones match because they're parents of seattle.accounting.example.com:
accounting.example.com
example.com
- If there's no matching private hosted zone, then Resolver forwards the request to a public DNS resolver, and your request is resolved as a regular DNS query.
It also can cause issues when you use external-dns for EKS (e.g.) https://github.com/kubernetes-sigs/external-dns/issues/423.
Relevant content
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, thanks a lot for your answer. I think I read almost the same answer on a similar question, but I don't fully understand it. I can put whatever I like in my public hosted zone and point a record to it. How is this different from my private zone, except for the reason that it can not be queried by anyone, but only from resources within the zone?
I mean the private zone is just a subset of the public zone and the certificate is just for a certain domain.
Apart from that, how could I circumvent this issue and generate a certificate for this internal LB?
Thanks :)