Create ACM Certificate

In this section you will create an ACM certificate for your domain so that you can terminate TLS at your ALB.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Decide on the desired subdomain for your Load Balancer:

    root@rok-tools:~/ops/deployments# export SUBDOMAIN=<YOUR_SUBDOMAIN>.${DOMAIN?}
    

    Replace <YOUR_SUBDOMAIN> with your desired subdomain. For example:

    root@rok-tools:~/ops/deployments# export SUBDOMAIN=${CLUSTERNAME?}.${DOMAIN?} && echo ${SUBDOMAIN?}
    arrikto-cluster.apps.example.com
    
  3. Request a wildcard certificate for your desired subdomain::

    root@rok-tools:~/ops/deployments# aws acm request-certificate \
    >     --domain-name ${SUBDOMAIN?} \
    >     --subject-alternative-names "*.${SUBDOMAIN?}" \
    >     --validation-method DNS
    

    Note

    We request for a wildcard certificate so that we can expose multiple virtual hosts behind the same ALB.

  4. Obtain the ARN of the ACM certificate:

    root@rok-tools:~/ops/deployments# export CERT=$(aws acm list-certificates | \
    >     jq -r '.CertificateSummaryList[] | select(.DomainName == "'${SUBDOMAIN?}'") | .CertificateArn') && echo ${CERT?}
    arn:aws:acm:us-east-1:123456789012:certificate/172a7741-87df-4dca-b75d-23ab06db3043
    
  5. Obtain the ID of the hosted zone for your domain:

    root@rok-tools:~# export AWS_ZONE_ID=$(aws route53 list-hosted-zones | \
    >     jq -r '.HostedZones[] | select(.Name == "'${DOMAIN?}.'") | .Id') && \
    >          echo ${AWS_ZONE_ID?}
    /hostedzone/Z08893681AKMCJZ2MRWZ4
    
  6. Create the necessary CNAME records for DNS validation on Amazon Route 53:

    root@rok-tools:~/ops/deployments# aws acm describe-certificate --certificate-arn ${CERT?} | \
    >    jq -r '.Certificate.DomainValidationOptions[].ResourceRecord|.Name,.Value' | paste - - | \
    >        while read name value; do
    >            aws route53 change-resource-record-sets \
    >                --hosted-zone-id ${AWS_ZONE_ID?} \
    >                --change-batch '{"Comment": "Add CNAME for ACM DNS Validation",
    >                                 "Changes": [
    >                                    {
    >                                      "Action": "UPSERT",
    >                                      "ResourceRecordSet": {
    >                                        "Name": "'$name'",
    >                                        "Type": "CNAME",
    >                                        "TTL": 300,
    >                                        "ResourceRecords": [
    >                                          {
    >                                            "Value": "'$value'"
    >                                          }
    >                                        ]
    >                                      }
    >                                    }
    >                                  ]
    >                                }'
    >        done
    

    Note

    ACM supports creating the necessary Route 53 records only via the Console, so here you make the required AWS CLI calls directly to Route 53. Route 53 requires a CNAME for each domain trusted in the certificate, that is the CN plus the SANs. Since the certificate you requested is associated with two domain names, you will end up with two CNAME records.

  7. Wait until ACM issues your certificate by inspecting its status:

    root@rok-tools:~/ops/deployments# aws acm describe-certificate \
    >     --certificate-arn ${CERT?} \
    >     --query Certificate.Status \
    >     --output text
    ISSUED
    

Verify

  1. List your ACM certificates and verify that you have an issued ACM certificate for your subdomain:

    root@rok-tools:~/ops/deployments# aws acm list-certificates \
    >     --certificate-statuses ISSUED \
    >     --query CertificateSummaryList[].[CertificateArn,DomainName] \
    >     --output text
    ...
    arn:aws:acm:us-east-1:123456789012:certificate/57da23e0-4964-4511-9082-a47d425e7c2a  arrikto-cluster.apps.example.com
    

Summary

You have successfully created an ACM certificate for your subdomain.

What’s Next

The next step is to deploy cert-manager since this is required by AWS Load Balancer Controller.