0

I have a Route53 hosted zone foo.bar with a couple of CNAME's in there pointing to external IP addresses. For example, a website with domain name myapp.foo.bar is hosted on a Digital Ocean server but the CNAME record is in the route53 hosted zone foo.bar.

I want to use ACM to manage the certificate for *.foo.bar because this would mean I can use DNS validation for automatic renewal.

I've tried to deploy an Application Load Balancer but I can't use external IP's as target. Therefore, I'm looking now into using Cloudfront for solving this issue. Is it possible to attach an ACM managed cert to the Cloudfront distribution and use a DNS origin of which the IP points to an external server? If this is possible, any caveats with respect to this solution?

markvdlaan93
  • 613
  • 10
  • 26

1 Answers1

0

Yes, you can set up CloudFront with an alternative Domain Name - For that you can create the SSL/TLS cert with ACM, and can select your Digital Ocean hosted instance domain name as a target of the CloudFront origin.

CloudFront (custom origin, my-best-domain.com (ssl with ACM)) => Origin (Digital Ocean Domain server domain name (what you already configured with Route 53) - you cannot point to IP address here)

So in nuthshell you cannot manage the SSL/TLS Cert for your Digital Ocean Instance from AWS ACM :(, basically you need to do the SSL/TLS for your droplet/instance seperated from the AWS environment :(

As I am reading the Digital Ocean docs, they almost has the same functionality, it use Let's encrypt and automatically renews on your behalf.

https://docs.digitalocean.com/products/accounts/security/certificates/

Sándor Bakos
  • 485
  • 6
  • 10