copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Issue when using imported certificates with domain hosted outside AWS

Open rhetprieto opened this issue 2 years ago • 5 comments

Hello, I'm having an issue and would appreciate some guidance.

When using an imported certificate for a domain hosted outside AWS, we need to manually add the CNAME in the DNS service. However, the last part of the deployment process is a healthcheck that expects my-service.mydomain.com/up to be accessible, so it fails until I go and manually add the CNAME. This, of course, is not an acceptable workflow.

Service manifest.yml

name: my-service
environments:
  arnold:
    http:
      alias: my-service.mydomain.com

Environment manifest.yml

http:
  public:
    certificates: [arn:aws:acm:us-east-12312313123:certificate/123123123123123]

Some attempted solutions:

  1. Do not include any certificate or alias - This half work, but the load balancer that gets created doesn't include a listener to port 443, so it needs to be manually added. (Also because of the default redirect to https, the healthcheck returns a 301 instead of 200, and you can't disable the redirect_to_https unless you provide a certificate)
  2. Just include the certificate but no alias - This won't work, http.alias is required when a certificate is included.

rhetprieto avatar Mar 02 '24 05:03 rhetprieto

Hello @rhetprieto.

However, the last part of the deployment process is a healthcheck that expects my-service.mydomain.com/up to be accessible, so it fails until I go and manually add the CNAME. This, of course, is not an acceptable workflow.

Sorry but I don't understand why you can't add an A-record for my-service.mydomain.com with the ALB DNS name as destination before the deployment 🤔 Was it because this was the first deployed service and the ALB wasn't there until the deployment?

iamhopaul123 avatar Mar 05 '24 20:03 iamhopaul123

Was it because this was the first deployed service and the ALB wasn't there until the deployment?

Yes, and in this scenario the ALB DNS name changes every time the deployment fails (as resources get recreated as part of the rollback/redeploy process).

I was able to solve this issue by specifying a hosted_zone of a secondary domain registered under route53. So the alias is now set to my-service.mydomain2.com. So now my-service.mydomain2.com passes the health check, I can take the ALB DNS name and manually add it for mydomain.com

rhetprieto avatar Mar 05 '24 21:03 rhetprieto

Sounds good! Glad you find your way out. Just a side note: you can keep the ALB always there even if there's no LoadBalancedWebService deployed by running env override and set this condition true in your yaml patch file

- op: replace
  path: /Conditions/CreateALB
  value: true

iamhopaul123 avatar Mar 05 '24 21:03 iamhopaul123

Thanks for your guidance @iamhopaul123. I'll give that a try.

rhetprieto avatar Mar 06 '24 23:03 rhetprieto

This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.

github-actions[bot] avatar May 06 '24 00:05 github-actions[bot]

This issue is closed due to inactivity. Feel free to reopen the issue if you have any further questions!

github-actions[bot] avatar May 20 '24 00:05 github-actions[bot]