apprunner-roadmap icon indicating copy to clipboard operation
apprunner-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

Custom Domains: publish certificate validation records in App Runner managed zones

Open caleb-gosnell opened this issue 2 years ago • 6 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Setting up a Custom Domain requires these records to be added to DNS:

  • a CNAME or ALIAS record for the custom domain (example.com -> xyz.awsapprunner.com)
  • CNAME records for some subdomains for certificate validation ( _123.example.com, _123.abc.example.com -> _456.acm-validations.aws)

If a CNAME is used for the domain (example.com), then DNS queries for the certificate validation records (_123.example.com) are resolved against the AppRunner DNS zone (xyz.awsapprunner.com). So, it is not possible to validate the certificate and have a domain CNAME in place (which is the only option if your DNS service does not support arbitrary ALIAS records).

To resolve this, when Custom Domain is added, App Runner should publish CNAME records in its managed zone that point to the certificate validation records ( _123.xyz.awsapprunner.com, _123.abc.xyz.awsapprunner.com -> _456.acm-validations.aws). This would allow users to configure Custom Domains in situations where using an ALIAS record is not available--I know this is currently a problem for Route53 and namecheap.com (due to a character count limit).

Describe alternatives you've considered To work around this I have used a wildcard for the Custom Domain (*.example.com), which allows me to publish validation records at a lower level (_123.example.com), and used a subdomain (myapp.example.com) for the CNAME to the App Runner service.

This is OK if a) there isn't a requirement to use the base domain (example.com) for the app and b) the organization is happy to have a wildcard certificate (*.exmaple.com) issued when only a subdomain certificate is needed (myapp.example.com).

However, this workaround does not work correctly if you want to have more than one App Runner service. If two app runner services are configured with a wildcard Custom Domain (*.example.com), App Runner routes all traffic for any subdomains (myapp.exmaple.com, yourapp.example.com) to just one of them (based on which was there first, or which comes first alphabetically or something).

caleb-gosnell avatar Jun 08 '22 17:06 caleb-gosnell

Hi, can I ask some questions for clarification. Are you saying that if a CNAME is used for root custom domain (ie, example.com -> xyz.awsapprunner.com), then if you want to set up other subdomains (123.example.com, 456.exmaple.com ) to other Apprunner service endpoint (xyz2.awsapprunner.com, xyz3.awsapprunner.com) , the certificate validation will fail because 123.example.com, 456.example.com are resolved against the xyz.awsapprunner.com?

scuw19 avatar Jun 13 '22 18:06 scuw19

and what's your ultimate goal? Do you want to set up root custom domain to one Apprunner service (example.com -> xyz.awsapprunner.com), and also set up subdomain custom domain to another Apprunner service (123.example.com -> xyz2.awsapprunner.com) ?

scuw19 avatar Jun 13 '22 18:06 scuw19

@scuw19 If a CNAME is used for root custom domain (ie, example.com -> xyz.awsapprunner.com):

  • It is not possible to add the subdomain records necessary for certificate validation (_123.example.com) because queries for those records will be resolved against the app runner zone (due to the CNAME).
  • This is also true for subdomains (abc.example.com -> xyz.awsapprunner.com). The CNAME causes queries for the certificate validation records to be sent to the App Runner managed DNS zone (xyz.awsapprunner.com). Only the App Runner service can add records to that zone, and allow certificate validation to succeed.

My ultimate goals are:

  1. to enable CNAMEs to be used successfully
  2. to use App Runner for multiple services at separate subdomains (abc.example.com, def.example.com, etc.)

The workaround I have described makes the CNAME work, but prevents using multiple subdomains from working.

caleb-gosnell avatar Jun 13 '22 19:06 caleb-gosnell

Hi, Apprunnr team is investigating this issue https://github.com/aws/apprunner-roadmap/issues/53 which is enable the Route53 Alias record for root custom domain, We can check back whether your issue is still a problem if the above issue is solved.

scuw19 avatar Jun 14 '22 05:06 scuw19

Thank you. Resolving #53 in a way that allows Route53 Alias records to be set for App Runner the same way that they work with other services (e.g. Cloudfront) would provide a path to get this working.

However, customers who are not able to use Route53 would still encounter issues attempting to configure a CNAME for the domain and records to validate certificate.

If the suggestion to create certificate validation records in the App Runner managed DNS zone is not acceptable, perhaps the better course of action would be to remove the CNAME option from the documentation and App Runner Console?

caleb-gosnell avatar Jun 14 '22 05:06 caleb-gosnell

I believe I've ran into this issue. My ultimate goal is to have preview environments setup with apprunner. Every protected branch (dev,prod), every pull request given a url. dev.branches.domain.com <-- It fails to validate after setting up CNAME record. pr-1.branches.domain.com

leblancmeneses avatar Jan 22 '24 03:01 leblancmeneses