AWS WARNING SSL
Closed this issue · 3 comments
You have an SSL/TLS certificate from AWS Certificate Manager in your AWS account that expires on Feb 15, 2024 at 23:59:59 UTC. This certificate includes the primary domain nshm-api-test.gns.cri.nz and a total of 1 domains.
It seems that the DNS config requested from GNS IT support did not work for the test API https://us-east-1.console.aws.amazon.com/acm/home?region=us-east-1#/certificates/25be2857-424b-4c2d-b7bb-cc756878389a
(it's fine for PROD, and they were done simulaneously).
I've raised a new ticket 7238 with IT support
got a response from GNS IT yesterday ...
Hi Chris,
I've picked up your ticket and I apologize for the delay in response.
We've taken a look at the DNS and from checking the historical tickets and it looks like we're missing some information.
Were the endpoints CNAMEs provided?
We may need to complete validation again and then have endpoints CNAME applied.
Ngā mihi,Mike CJ
Junior Network Engineer
new certificate request initiated and detailed instructions sent to IT support ....
Hi Mike , I've requested a new certificate for our API and attached the AWS CSV file...
FYI Here is a description from AWS of what this is ...
Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must prove that you own or control all of the domain names that you specify in your request. You can choose to prove your ownership with either Domain Name System (DNS) validation or with email validation at the time you request a certificateWe prefer the CNAME method as it is more transparent. So, what we need is:
A new CNAME record added in the GNS DNS configuration where ....
_3719289eb15efcc2820260aeb5d39eda.nshm-api-test.gns.cri.nz (which is the AWS generated validation lookup) has a CNAME ( _aecdcbccd7727fea682d99111c990075.kqlycvwlbp.acm-validations.aws
An AWS function will periodically check the former address via DNS lookup to check that it is aliasing the correct CNAME value (which I note is not a REAL DNS address)
All this proves is that the 'owner` of the domain that the certificate covers (i.e. nshm-api-test.gns.cri.nz) also has control over the DNS records for the same domain.
For a reference for how this is done already, see the DNS entry for _3bac81e04191a7e1f1bf03f52dd4ca4a.nshm-api.gns.cri.nz which is correctly configured and working fine.
Please call me if you have any questions,
Kind regards, Chris Chamberlain