Grab our Open Source Code - its FREE!
Development

Secure your Serverless project’s endpoints with AWS Certificate Manager

Here at GorillaStack we’ve been using LetsEncrypt to issue SSL certificates for custom domains on AWS’s API Gateway for all our Serverless projects. While we love this service, securing a custom domain for API Gateway required a time consuming, manual process to be repeated every time a certificate expired. That’s why we were so excited by the recent announcement of API Gateways integration with ACM!

AWS Certificate Manager

Below I’ll give you a quick run down on the now simple process of requesting a certificate through ACM for your Serverless project (or otherwise!) custom domain without having to use LetsEncrypt.

It’s worth noting from that start that you will need access to the email address registered to the custom domain. When requesting a certificate, ACM will send a verification email to the domain’s Registrant Email, to validate that the requestor has control over the domain.

Pro Tip: If you’re not sure which email address is registered to the domain, a quick `whois domain.com` will help you. In the terminal will show the Registrant Email, where ACM will send the verification request.

Requesting a Certificate Through ACM for your Serverless Project

  1. Head to the ACM Console and click ‘Request a Certificate’ (or ‘Get Started’ if it’s your first time using ACM).
  2. Enter the full domain you will be using for the project, or use a wildcard (\*) if you want the certificate to cover multiple sites under the domain e.g. ‘\*.example.com’.
  3. Click through ‘Review and Request’, ‘Confirm and Request’, and ‘continue’.
  4. Check the Registrant address for the verification email, follow the link to Amazon Certificate Approvals, and click the ‘I Approve’ button.

The status of your certificate in ACM should change from pending to issued, and you’re all done! You can now head to API Gateway and set up a custom domain as usual, only now you’ll be able to quickly select your certificate from a dropdown menu! If you are updating an existing custom domain, click Edit, and check the ‘Change Certificate’ box to see the menu.

Pro Tip: Like all resources in AWS, your certificate will be tied to a unique ARN, which will be used to reference it from other AWS services. This ARN will persist through automatic renewals.

So there you have it, as long as ACM can continue to successfully establish an HTTPS connection with your domain, it will automatically renew the certificate. No more manually requesting, creating record sets for verification, or uploading certificates!

  • magheru_san

    Nice article, thanks!

    I actually used to solve this for a lot of time by having a CloudFront distribution in front of the API gateway.

    Honestly I think the API Gateway is broken by design because it’s a regional service(it relies on the regional Lambda endpoints) at the same time bound to a global namespace dictated by its internal use of CloudFront, so it can’t be deployed in a multi-regional setup for the same custom domain.

    I think it should not be expanded to expose more CloudFront functionality like it was with custom domains, now ACM, and it’s very bad at it anyway, since most of the CloudFront features are still not exposed.

    I think it should instead be decoupled entirely from CloudFront and converted into a truly regional service similar to the ALB(or why not just merged into the ALB), that could be used directly over HTTP, aliased to a latency-based DNS record and multiple such regional endpoints could be used as origins by a distinct CloudFront distribution.