skip to Main Content

We’ve got a rails app deployed on aws elasticbeanstalk (nginx/puma)

Users are free to set up their own custom domain name for which we ask them to add a cname record to point to our elasticbeanstalk domain.

But we also need to generate a ssl certificate for the custom domain using aws ACM. (how to do this via aws api?)
Once we do this we can just show the user the cname record to add to their dns provider for the domain name verification.

Then which aws api do i have to call to see if the ssl certificate is ready to be used
And how to attach the ssl certificate to the elasticbeanstalk environment (load balancer?)

3

Answers


  1. which aws api do i have to call to see if the ssl certificate is ready to be used

    You have to use DescribeCertificate and check if its Status is ISSUED.

    Normally, you have to implement a loop which will query the status iteratively, e.g. every 15 seconds, till its issued. But some AWS SDKs provide "waiters" for that. In ruby you have CertificateValidated waiter.

    And how to attach the ssl certificate to the elasticbeanstalk environment

    To add SSl certificate to ALB you have to use AddListenerCertificates API to your EB’s load balancer.

    Login or Signup to reply.
  2. AWS Certificate Manager (ACM) has a RequestCertificate API, which can be used to request a certificate.
    Special care needs to be taken about the DnsValidationOption, this can be also done via E-Mail or DNS-Record. Both have different user flows.

    • E-Mail: Needs to be something@USER-CNAME
    • DNS-Record: The user needs to add a DNS entry to its DNS. The Record needed to be added can be seen in the DescribeCertificate Call (see the last example on the page for a response JSON for DNS validation).

    The AWS Page also shows examples on how to call the API. After the API is called, a ARN is known to the callee.
    The ARN can be used to describe and check the current status. This must either be done via repeated polling (as other questions say) or you can get an Event via the EventBridge.
    The later one is especially useful, as it also contains events for:

    • Renewal
    • Issued
    • and Expired.

    You can find event information here.

    The AWS Documentation also contains links to the SDKs at the bottom, for example Ruby.

    Login or Signup to reply.
  3. I think what you are seeking for is a serverless solution for the implementation.

    Here is my quick thinking solution that you can try:

    API Gateway --> Lambda (Request) --> SQS --> Lambda (Verify) --> SNS (E-mail) --> Lambda (Attach)
    

    You can make a simple backend with REST/HTTP API like /request which proxies requests to a Lambda function which is used for requesting an ACM certificate. You can try Python3/Boto3 with ValidationMethod to be EMAIL. Once done, send a message to a SQS delay queue (i.e: 10 min).

    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/acm.html#ACM.Client.request_certificate

    Then, the Lambda function which is used for verification, will be able to check if your customer accepted the validation within allowed time (10 min) then you can send a SNS notification or any E-mail mechanisms to them for the Success status.

    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/acm.html#ACM.Client.describe_certificate

    You can also subscribe another Lambda function for processing the next steps of your ElasticBeanstalk Load Balancers modifications.

    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2.html#ElasticLoadBalancingv2.Client.modify_listener

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search