Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add wildcard ACM certs back #452

Closed
tj opened this Issue Nov 30, 2017 · 7 comments

Comments

Projects
None yet
2 participants
@tj
Copy link
Member

commented Nov 30, 2017

  • It's less annoying for sub-domains (only need to verify one)
  • It's easy to hit the (default) ACM cert limit for your account
  • Still required for sub-sub domains, so we need some logic here to determine when a new cert is necessary
  • Make sure deleting the stack won't take other services with it...
  • confirm they are not removed upon stack deletion

@tj tj added this to the 0.5.0 milestone Nov 30, 2017

@cederigo

This comment has been minimized.

Copy link

commented Dec 8, 2017

This would be awesome. Now I'm finding myself not specifying stages at all to setup them later on api gateway manually. I thought about the problem and came up with the following idea how this could be implemented:

{
  "stages": {
    "production": {
      "domain": "api.gh-polls.com",
      "cert": "*.gh-polls.com"
    },
    // Or maybe specify the certificate arn?
    "staging": {
      "domain": "stage.gh-polls.com"
      "cert": "arn:aws:acm:us-east-1..."
    }
  }
}

This could be added without breaking changes and your requirements above could be met. What do you think?

@tj

This comment has been minimized.

Copy link
Member Author

commented Dec 8, 2017

I'd like to avoid specifying the cert, I think we can pretty easily determine when to use a wildcard programmatically. Stack deletion may be an issue though I have to double check that.

@cederigo

This comment has been minimized.

Copy link

commented Dec 8, 2017

Would you accept a PR? Im pretty new to Golang but I want to do more with it. For the programmatic part. Would you do something like:

  1. List certs and use existing wildcard cert that matches if possible.
  2. If not 1., create wildcard cert

or something fancier? For the deletion I would need some hints

@tj

This comment has been minimized.

Copy link
Member Author

commented Dec 8, 2017

I'm not sure off-hand what AWS' behaviour is for the deletion. I believe it will refuse to delete certs used by other apps. If that's the case this might not be worth adding

@cederigo

This comment has been minimized.

Copy link

commented Dec 8, 2017

I also think thats the case. I will double check it and if it refuses to delete used certs, just log it accordingly. Ok?

@tj

This comment has been minimized.

Copy link
Member Author

commented Dec 9, 2017

oh right, I forgot that we have certs outside of CloudFormation. Go for it :D. util.Domain may be useful there.

cederigo added a commit to cederigo/up that referenced this issue Dec 26, 2017

cederigo added a commit to cederigo/up that referenced this issue Jan 8, 2018

@tj

This comment has been minimized.

Copy link
Member Author

commented Jan 16, 2018

Should have this in soon, waiting on more certs from AWS for testing

@tj tj closed this in 3f21624 Jan 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.