-
Notifications
You must be signed in to change notification settings - Fork 3
Setup DNS record and SSL cert
The application assumes that you will be running this service on a real domain, with a TLS certificate to enable HTTPS connections. The domain you enter in the deployment template parameters should be one that's available to use, and you or your network administrator should be able to create DNS records for that domain. Two DNS records will be necessary to complete the setup, and the endpoints for those DNS records are produced when the deploy template is run.
The first DNS record you will need to create is the domain name your service will actually use. This is what you entered as the DomainName parameter before you ran the deploy template. This should be a CNAME record, since the IP address used by the service may change over time. The CNAME record should point your service's address at the DNS of the load balancer that the deploy template creates.
The simplest way to find this is to look it up in the EC2 web console, under Load Balancers. The template creates the load balancer with the name you entered as the stack name, with "-lb" added to the end. So, if your deploy stack was named "qa-lookup-deploy", your load balancer will be named "qa-lookup-deploy-lb". Find this load balancer in the list of load balancers, check the box next to its name, and scroll down to the "Description" tab. You should see the load balancer's DNS name here, so create the CNAME record pointing your service's domain name to the load balancer's DNS name.
The deploy template creates a TLS certificate for your domain name using the AWS Certificate Manager service (ACM). This certificate is automatically attached to your load balancer so it can terminate secure connections. However, each ACM certificate must be validated to ensure that you have ownership of the domain you're trying to secure. That's done by creating a special DNS record that points a unique CNAME on that domain to a location that ACM gives you. That record is also generated for you, with both the CNAME and the end location; it's up to you or your network administrator to create that DNS record. To find this information, look again in the CloudFormation web console and find your deploy template's stack. Select it, and click on the "Events" tab. Scroll down the list of events until you see an event for the item ACMCert with a status of CREATE_IN_PROGRESS and a Status reason beginning with "Content of DNS Record is:". There you will see the CNAME that ACM wants you to create, and the location you should point it to.
Once you have created this DNS record, ACM will detect that it exists, and the ACMCert status will update to CREATE_COMPLETE. Until this step is completed, the certificate will not be valid, the load balancer will not handle HTTPS requests properly, and the stack status will remain as CREATE_IN_PROGRESS.
Previous | End