Certificate Validator is an AWS CloudFormation custom resource which facilitates AWS Certificate Manager (ACM) certificate validation via DNS.
Certificate Validator solves a common problem:
AWS CloudFormation does not provide a means for automatically validating AWS Certificate Manager (ACM) certificates.
From the AWS::CertificateManager::Certificate documentation:
Important
When you use the
AWS::CertificateManager::Certificateresource in an AWS CloudFormation stack, the stack will remain in theCREATE_IN_PROGRESSstate. Further stack operations will be delayed until you validate the certificate request, either by acting upon the instructions in the validation email, or by adding a CNAME record to your DNS configuration.
Check out the Getting Started documentation to start using Certificate Validator.
When you use the AWS::CertificateManager::Certificate resource in an AWS CloudFormation stack, the stack will remain in the CREATE_IN_PROGRESS state and any further stack operations will be delayed until you validate the certificate request. Certificate validation can be completed either by acting upon the instructions in the certificate validation email or by adding a CNAME record to your DNS configuration.
The Status Reason for your CloudFormation deploy will contain the following:
Content of DNS Record is: {Name: _x1.<domain-name>.com.,Type: CNAME,Value: _x2.acm-validations.aws.}
Where x1 and x2 are random hexadecimal strings.
To automate DNS validation, you can use this script.
./dns-validation.sh $DOMAIN_NAME $STACK_NAMEHowever, this is an inelegant solution.
Since CloudFormation only outputs the Name and Value for the validation of the root domain name (DomainName), any other subdomain (SubjectAlternativeNames) that you wish to validate (ex. www), must be manually validated using the Name and Value given in the AWS Management Console.
If you want your service to be accessible via HTTPS on both the www subdomain and root domain, you will need to add an alternate name to the certificate and determine the Name and Value to validate the www subdomain manually:
CertificateManagerCertificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Ref DomainName
SubjectAlternativeNames:
- !Sub 'www.${DomainName}'
ValidationMethod: DNSYou will then be able to add the www subdomain to the CloudFront distribution:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Ref DomainName
- !Sub 'www.${DomainName}'Note: DNS validation can be done manually via the AWS Management Console: Certificate Manager > Create record in Route 53.
Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called Subject Alternative Names (SANs). Names include:
- Email addresses
- IP addresses
- URIs
- DNS names (this is usually also provided as the Common Name RDN within the Subject field of the main certificate.)
- directory names (alternative Distinguished Names to that given in the Subject)
- other names, given as a General Name: a registered object identifier followed by a value
Install Node.js and NPM:
brew install nodeInstall the Serverless Framework open-source CLI:
npm install -g serverlessCreate a new virtual environment:
mkvirtualenv certificate-validatorInstall requirements:
pip install -r certificate_validator/requirements_dev.txtDeploy Certificate Validator:
make deployNote: An optional STAGE variable can be used to specify the stage. Defaults to dev.
Example
make deploy STAGE=prodTo remove Certificate Validator, run make remove.
Note: An optional STAGE variable can be used to specify the stage. Defaults to dev.
Example
make remove STAGE=prodUse bumpversion to increment the current version:
cd certificate_validator
bumpversion <major | minor | patch>