We’ve got a rails app deployed on aws elasticbeanstalk (nginx/puma)
Users are free to set up their own custom domain name for which we ask them to add a cname record to point to our elasticbeanstalk domain.
But we also need to generate a ssl certificate for the custom domain using aws ACM. (how to do this via aws api?)
Once we do this we can just show the user the cname record to add to their dns provider for the domain name verification.
Then which aws api do i have to call to see if the ssl certificate is ready to be used
And how to attach the ssl certificate to the elasticbeanstalk environment (load balancer?)
3
Answers
You have to use DescribeCertificate and check if its Status is
ISSUED
.Normally, you have to implement a loop which will query the status iteratively, e.g. every 15 seconds, till its issued. But some AWS SDKs provide "waiters" for that. In ruby you have CertificateValidated waiter.
To add SSl certificate to ALB you have to use AddListenerCertificates API to your EB’s load balancer.
AWS Certificate Manager (ACM) has a RequestCertificate API, which can be used to request a certificate.
Special care needs to be taken about the DnsValidationOption, this can be also done via E-Mail or DNS-Record. Both have different user flows.
The AWS Page also shows examples on how to call the API. After the API is called, a ARN is known to the callee.
The ARN can be used to describe and check the current status. This must either be done via repeated polling (as other questions say) or you can get an Event via the EventBridge.
The later one is especially useful, as it also contains events for:
You can find event information here.
The AWS Documentation also contains links to the SDKs at the bottom, for example Ruby.
I think what you are seeking for is a serverless solution for the implementation.
Here is my quick thinking solution that you can try:
You can make a simple backend with REST/HTTP API like
/request
which proxies requests to a Lambda function which is used for requesting an ACM certificate. You can try Python3/Boto3 with ValidationMethod to beEMAIL
. Once done, send a message to a SQS delay queue (i.e: 10 min).https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/acm.html#ACM.Client.request_certificate
Then, the Lambda function which is used for verification, will be able to check if your customer accepted the validation within allowed time (10 min) then you can send a SNS notification or any E-mail mechanisms to them for the
Success
status.https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/acm.html#ACM.Client.describe_certificate
You can also subscribe another Lambda function for processing the next steps of your ElasticBeanstalk Load Balancers modifications.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2.html#ElasticLoadBalancingv2.Client.modify_listener