Home > database >  How to migrate from Heroku ACM to AWS Certificate Manager?
How to migrate from Heroku ACM to AWS Certificate Manager?

Time:10-27

Apologies on the broad title;my question is mainly around validating domain names in AWS Certificate Manager such that I can get valid ACM going. These are currently in Heroku and need to be migrated into AWS.

The Heroku ACM will validate a custom domain and issue a certificate if the DNS for said custom domain is a CNAME to the Heroku app's main domain. For example, if I have my-heroku-app.com and I make a CNAME from example.com to that then Heroku will successfully generate a cert and I can visit https://example.com with proper TLS. This can be verified with a simple curl -Iv https://example.com which shows a certificate issued by Let's Encrypt.

Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.

Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them? The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API Certificate Manager.

CodePudding user response:

Conversely the AWS Certificate Manager requires a specific CNAME record and value to be set on a domain in order for it to generate certificates for that domain. Until that happens, I do not see a way to use things like API Gateway or ELB with said domain.

There is absolutely nothing stopping you from creating the ACM validation CNAME records in your DNS service, to complete the creation of the certificate in ACM, while still leaving all your current DNS records in place. The ACM validation record is just a new DNS record, it doesn't replace any of your existing records, and it is only used for validation that you own the domain name, it isn't used for actual routing of any network requests.

Is there a way I can migrate these domain certificates into AWS Certificate Manager from Heroku, e.g. without having to go through the typical validation process for each one of them?

You have to go through the validation for each one, there is no getting around that. You could script it if you have a lot of them.

The main Heroku app domain is one which is going to be pointed to AWS via API Gateway and at that point all of those custom domains will fail because they're not registered in AWS API Certificate Manager.

This is incorrect. You don't have to "register a domain to AWS Certificate Manager" in order to validate the certificate and get the certificate. ACM isn't validating that you have a domain pointing to an AWS API before it issues you the certificate. It is just validating that you own the domain name, via a new CNAME record that is only used for domain ownership validation.

I suggest you start the certificate creation process in ACM, and look at the CNAME record it asks you to create. You will see that it is totally unrelated to any of your current DNS records, and does not conflict with them.

Page link:https//www.codepudding.com/database/589304.html

Prev:Is there a solution to load html without asking me to store them in static folder?
Next:GitLab local runner fails when deploying to Heroku using dpl
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding