Use AWS SES to validate ACM certificate request


In case you are not familiar with AWS abbreviation, SES stands for Simple Email Service, ACM is short for AWS Certificate Manager. These two are independent services, each can work without the other. But in some scenarios, you may need to make them work together to solve your problem. For example:

  • The domain does not have MX record/ SMTP service.
  • The domain’s registrant contact Email is private which can not be query via whois

SES not only allows you to send email but also receive emails. The solution basically is to create a SMTP service for your domain in SES. It allows you to receive the validate request approval so to generate the certificate in ACM.

Let’s take myawesomedomain.com.au domain for instance. I need to create a wildcard SSL certificate in ACM for its subdomain services.myawesomedomain.com.au which does not have a MX records/ SMTP service.

If the registrant contact email address of myawesomedomain.com.au is exposed to public whois query. Then you can validate the domain by sending the request to the parent domain. This feature is not available in AWS console, only can be done in CLI or API. Here is the CLI syntax:

aws acm request-certificate –domain-name *.services.myawesomedomain.com.au –domain-validation-options DomainName=*.services.myawesomedomain.com.au,ValidationDomain=myawesomedomain.com.au

Unfortunately, for security reasons most domains’ information is not exposed to public whois query (some vendors allow you to change the private/ public settings). This is a good use case of SES. And here is the how to:

  1. Update your domain DNS zone file to add a txt record, and a MX record: Follow the SES domain verification wizard to add the domain myawesomedomain.com.au. AWS will provide you the txt record (for domain verification) and MX record(for incoming SMTP service)
  2. Create a incoming mail rule to allow SES to upload the mail messages to S3 bucket: Attach the following policy to a S3 bucket. In my example it is myawesomedomain-ses. (replace$AWSACCOUNTID with the 12 digits AWS account ID)
    {
        "Version": "2008-10-17",
        "Statement": [
            {
                "Sid": "GiveSESPermissionToWriteEmail",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "ses.amazonaws.com"
                    ]
                },
                "Action": [
                    "s3:PutObject"
                ],
                "Resource": "arn:aws:s3:::myawesomedomain-ses/*",
                "Condition": {
                    "StringEquals": {
                        "aws:Referer": "$AWSACCOUNTID"
                    }
                }
            }
        ]
    }
    

    Then create a new rule in the Email Receiving Rule Sets:  add two recipients ( myawesomedomain.com.au and .myawesomedomain.com.au), this allows it to receive the mail for both top level domain and subdomains. Then choose S3 action to write the message to files in the above bucket. And optionally you can enable SNS so you will get a SNS notification when new emails are received in S3 bucket.

  3. Request a certificate in ACM then check emails in S3 bucket:  Request certificate for *.services.myawesomedomain.com.au in ACM, then check if any new files in the S3 bucket myawesome-ses. Open the new file then go the embedded link to approve the certificate request.

    This is how my bucket looks like:
    Screen Shot 2017-06-22 at 4.29.25 PM.png

    This is how the approval page looks like:
    Screen Shot 2017-06-22 at 10.26.35 PM.png

    This is how to certificate looks like:
    Screen Shot 2017-06-22 at 4.32.43 PM.png

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s