2

I run a SaaS with multiple subdomains and with the option for customers to use their own domains too.

This means, that we host eg:

customer1.ourdomain.com
customer2.ourdomain.com
www.customer3.com
www.customer4.com

When creating a certificate through ACM, I have to confirm the new certificate for all domains, that's fair, as I can live with that. But our customers can't live with confirming their domain everytime we add a new certificate (since we still can't update/add domains to an existing cert.).

My question is, can I, somehow intercept the mails that are being send out, when the domains has to be confirmed? Of cause I can't always get their mails, but just for eg. hostmaster@customer3.com

The domains can be moved to Route 53 if needed, the customers usually have had them in a long time, hosted somewhere else. We usually just make a CNAME to our ELB.

How do other people deal with this?

Best regards, thanks in advance

b.b3rn4rd
  • 8,494
  • 2
  • 45
  • 57
Oxholm
  • 324
  • 6
  • 16

1 Answers1

0

Currently, you have two options here: Firstly, AWS allows you to configure the base domain name to which you want the validation email to be sent. For instance, you are requesting SSL for subdomains like *.customer1.ourdomain.com or *.customer2.ourdomain.com you can specify ourdomain.com as the validation domain.

Can I configure the email addresses to which the certificate approval request is sent? No, but you can configure the base domain name to which you want the validation email to be sent. The base domain name must be a superdomain of the domain name in the certificate request. For example, if you want to request a certificate for server.domain.example.com but want to direct the approval email to admin@domain.example.com, you can do so using the AWS CLI or API. See ACM CLI Reference and ACM API Reference for further details.

To enhance this process even further you can try acmagent pip library to automate you SSL confirmation

pip install acmagent

Requesting SSL

$ acmagent request-certificate --domain-name *.dev.example.com --validation-domain example.com
12345678-1234-1234-1234-123456789012

Approving SSL

$ acmagent confirm-certificate --certificate-id 12345678-1234-1234-1234-123456789012

More examples can be found here.

The second option is to create a MX record in the hosted zone pointing to the SES service and use Lambda function to parse the confirmation email body. I found an existing project that looks like is doing this already: aws-acm-certificate-request-approver

Hopefully, that helps.

b.b3rn4rd
  • 8,494
  • 2
  • 45
  • 57