Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Support for ACM-hosted SSL Certificates #710

Closed
Miserlou opened this issue Mar 10, 2017 · 9 comments
Closed

Add Support for ACM-hosted SSL Certificates #710

Miserlou opened this issue Mar 10, 2017 · 9 comments

Comments

@Miserlou
Copy link
Owner

Hooray! API Gateway now supports ACM SSL! Announcement: https://aws.amazon.com/about-aws/whats-new/2017/03/amazon-api-gateway-integrates-with-aws-certificate-manager-acm/

We should add these as an option.

The question is, how much should be automatic, and how much should be manual? Should Zappa simply reference an ACM certificate ARN, or should Zappa actually create the certificate?

Unfortunately, it can't be fully automatic, as ACM requires email rather than domain-based domain name verification, even if your domain is hosted on Amazon already. Therefore, it may be simplest to simply reference the ARN.

This ticket also does not mean that we will be dropping support for Let's Encrypt.

Related docs:
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

http://boto3.readthedocs.io/en/latest/reference/services/apigateway.html?highlight=Api%20gateway

Interestingly, it says this:

The reference to an AWS-managed certificate. AWS Certificate Manager is the only supported source.

Which may mean that they have simply broken our existing code with no warning, I'm not sure yet. Either way, thanks Jeff.

@pjz
Copy link
Contributor

pjz commented Mar 13, 2017

Zappa should at least be able to just reference an ACM certificate ARN. Maybe with an 'auto' setting or something that does generation of it for you. 'auto' would handle simple one-domain-one-cert cases, but complex ones - like maybe a bunch of sites that all use a wildcard cert or something - would need the ability to just supply an ARN.

@Miserlou
Copy link
Owner Author

Hoping to investigate some of this today.

@Miserlou
Copy link
Owner Author

This is now available in version 0.39.0, which lets you supply a certificate_arn setting.

@abdulwahid24
Copy link
Contributor

abdulwahid24 commented Mar 15, 2017

@Miserlou I tried it with Singapore region acw ssl but its raising an issue

Traceback (most recent call last):
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 2142, in handle
    sys.exit(cli.handle())
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 414, in handle
    self.dispatch_command(self.command, environment)
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 502, in dispatch_command
    manual=self.vargs['manual']
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 1456, in certify
    self.api_stage
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/zappa.py", line 1413, in create_domain_name
    certificateArn=certificate_arn
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/botocore/client.py", line 543, in _make_api_call
    raise error_class(parsed_response, operation_name)
BadRequestException: An error occurred (BadRequestException) when calling the CreateDomainName operation: Invalid certificate ARN: arn:aws:acm:ap-southeast-1:042373950390:certificate/50886336-b65b-4147-89e8-625f4edfa842. Certificate must be in 'us-east-1'.

Is there any way to mention the region for it.

Thanks,
Abdul Wahid

@Miserlou
Copy link
Owner Author

zappa_settings? It says Certificate must be in 'us-east-1'. - it's possible that AWS only supports this service in u-e-1, I'm not sure. Nothing is hardcoded in.

@abdulwahid24
Copy link
Contributor

What should I do as I have all my aws services using Singapore region and I need to have certificate_arn because Let's Encrypt is raising an issue ( as mentioned here #590 ) of permission denied because of auto renewal is not updating the certificate which I set 15 days and its problematic as I am moving towards production environment by next week. Can you suggest me some recommendation so that this kind of issue can be avoided after successful deployment for production.

@Miserlou
Copy link
Owner Author

Miserlou commented Mar 15, 2017 via email

@abdulwahid24
Copy link
Contributor

abdulwahid24 commented Mar 15, 2017

I did try that

  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 2142, in handle
    sys.exit(cli.handle())
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 414, in handle
    self.dispatch_command(self.command, environment)
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 502, in dispatch_command
    manual=self.vargs['manual']
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/cli.py", line 1459, in certify
    self.zappa.update_route53_records(self.domain, dns_name)
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/zappa/zappa.py", line 1472, in update_route53_records
    'ResourceRecordSet': record_set
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Volumes/Seagate/workspace/homejoy/env/lib/python2.7/site-packages/botocore/client.py", line 543, in _make_api_call
    raise error_class(parsed_response, operation_name)
InvalidChangeBatch: An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: RRSet of type CNAME with DNS name api.conjuror.in. is not permitted as it conflicts with other records with the same DNS name in zone conjuror.in.

But it seems like I need to configure my Route 53 according to us-east region.

@abdulwahid24
Copy link
Contributor

I got it working as I followed the error message and removed the domain from cloudfront and remove the subdomain from route 53 then once its create a ACM custom domain then I revert back my settings in couldFront and Route 53, Now I have ACM custom domain. Thanks @Miserlou

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants