up icon indicating copy to clipboard operation
up copied to clipboard

Published 20 hours ago verified publisher icon apex

Make domain verification easier via new DNS validation

Open thesurlydev opened this issue 7 years ago • 11 comments

AWS just announced https://aws.amazon.com/about-aws/whats-new/2017/11/aws-certificate-manager-easier-certificate-validation-using-dns/ which could make verification easier and not require email.

thesurlydev avatar Nov 22 '17 18:11 thesurlydev

Niceeeee, time to undo some code :D

tj avatar Nov 22 '17 23:11 tj

realizing this might not be a great option since it'd require people point their DNS to AWS before the zone is even created haha, which can't happen. It would have to be a two step process

tj avatar Nov 23 '17 18:11 tj

Probably some option rather than an automatic thing would make the most sense. Not everybody wants "garbage" auth TXT entries in their zones.

pctj101 avatar Nov 25 '17 19:11 pctj101

@tj yeah, but works better for those that already have DNS pointed to AWS but don't necessarily have an email account setup. Until this feature was announced, I used SNS and a Lambda with headless Chrome running to automate the verification step. I see this as a complimentary option to verification via email.

thesurlydev avatar Nov 25 '17 22:11 thesurlydev

Just as a note of clarification, I'm all for putting in garbage TXT records into my domain to make things go faster. Domains are cheap enough for me to buy one just for getting dirty, especially in development.

pctj101 avatar Nov 29 '17 10:11 pctj101

I just don't want two code paths, makes QA and docs a bit more tricky since this would only work for up-purchased domains. Maybe though, it would be a nicer experience that's for sure.

tj avatar Nov 29 '17 18:11 tj

Oooh... Yeah I was coming from the, "Hey it's in route 53, validate me!" perspective. If it was that easy, then of course, I'd like it :) But... maybe it's more complicated than that right now.

pctj101 avatar Nov 29 '17 18:11 pctj101

I'm finding the verification emails 'domains: Check your email to approve the certificate' aren't coming through. It can't be just me. It's a similar experience across mail platforms and accounts. :disappointed:

kaihendry avatar Jan 19 '18 06:01 kaihendry

Echoing @kaihendry, I wasn't getting the approval emails from AWS, but when I manually requested the certificate in AWS Console, I was able to DNS verification (and with Route53 domains, there was a big blue button to add the verification CNAME for me). In a matter of minutes the cert was issued.

It would be nice if up could take care of that step for me too if the domain is already in Route53.

timchambers avatar Mar 09 '18 16:03 timchambers

Echoing @kaihendry and @timchambers. For newly purchased domain. It is not likely user will set up emails on the domain first. When up tell me to "check your email", I check my personal email again and again. It takes me days to arrive this issue and solve the problem by doing "DNS verification" on aws console manually.

timqian avatar Sep 28 '19 03:09 timqian

In my notes for up setup, I have a reminder to add webmaster@, hostmaster@ etc to the domain to get the verification email, so I'm finding I need to have the domain setup already, anyway (not to mention having the MX pointing at some service like Mailgun).

Today, 22 July 2021, I got an email from AWS regarding ACM no longer automatically renewing email-validated domains from Aug 2021. To wit:

We have identified your account as an account that uses email validated certificates issued through AWS Certificate Manager (ACM). Due to a policy change by Mozilla[1], the organization behind the Firefox browser, ACM can no longer automatically renew email validated certificates on your behalf.

Beginning August 2021, email validated certificates will need to be renewed every year by clicking on a validation link that will be mailed when the certificate is 45 days from expiry. You can read more about Email validated certificates including details on validation email here[2]. Additionally, you can also use CloudWatch metrics and events [3] to monitor and track ACM managed certificates that are approaching expiration.

For your reference, following is the list of your existing email-validated certificates:

arn:aws:acm:us-east-1:274500760195:certificate/11f651f3-715c-437...

We recommend you migrate to DNS validation[4] if you are able. DNS validated certificates renew automatically as long as the CNAME record is properly configured. There is no way to convert an existing certificate from email validation to DNS validation, but you can request a new certificate at no cost.

(Emphasis mine) So, if you've set up up in the default way, you will now need to validate each year via email, and you can't convert once it's set up as email...

It would be great if there were an option to use CNAME validation, even if it's going to require a second step.

--Rick

[1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities [2] https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html [3] https://docs.aws.amazon.com/acm/latest/userguide/cloudwatch-metrics.html [4] https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html [5] https://aws.amazon.com/support

RickCogley avatar Jul 22 '21 07:07 RickCogley