Apply SSL Certificate on AWS ACM (also Cloudflare)
Apply for certificate on ACM
Best to use AWS Certificate Manager (ACM).
0. Before all add a CAA type record.
Name is your donmain name, and CA domain name fill in one of :
if no this CAA, will failed.
Nevigate to certificate page
click Request
fill in the domain/subdomain name
- if has special charactors like my "einbürgerungstest.leeindeutschland.de", don't need to use punycode.
use DNS validation, then create.
- as I don't register the domain Email
it will gives you, CNAME name and CNAME value
Go to your Domain dashboard(where you register your domain, eg. Cloudflare). Create a CNAME record with Name as the CNAME name, Target as the CNAME value
- you can remove your domain name in Name field, it's doesn't matter if you removed the tailing point.
then after some time, it will be issued.
- DON'T wait for too long, 72h is the expired time, if still pending, there must be some thing wrong, don't waste time on waiting.
CloudFront
MUST apply the cert in us-east-1 region
API Gateway
Apply cert where your API Gateway hold.
About other cert
Because I missed the CAA record, I have turn on Cloudflare cert, but, but NOTICE, Cloudflare cert is not recognised by AWS, so don't waste time if you want to deploy on AWS.
However, there are also some point I need to write down.
Go to SSL/TLS -> Overview -> Config -> choose the Full (Strict Mode)
Then go to SSL/TLS -> Origin Server, create.
- Notice: the Private Key only show this once, so better to keep it at this time.
Next go to AWS ACM, this time not click the Request, instead, click the import button
paste the cert and private key to corresponding field, done.
But embarasing, this will not work on AWS (for CloudFront, but for EC2 I see some post, it seems still work).
Reference
AWS Certificate Manager DNS validation