Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-certificatemanager] validationDomains does not need to be supplied for PCA certificates #10076

Closed
otterley opened this issue Aug 31, 2020 · 3 comments · Fixed by #16315
Closed

[aws-certificatemanager] validationDomains does not need to be supplied for PCA certificates #10076

otterley opened this issue Aug 31, 2020 · 3 comments · Fixed by #16315
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Comments

@otterley
Copy link
Contributor

When using tokens for domain names, attempting to create a new ACM certificate throws the error:

When using Tokens for domain names, 'validationDomains' needs to be supplied

This makes sense when generating a public certificate, but not for a private certificate issued by Private Certificate Authority (PCA) since these certificates are not validated.

Reproduction Steps

    const serviceCertificate = new acm.Certificate(
      this,
      "ServiceCertificate",
      {
        domainName: `${sdService.serviceName}.${namespace.namespaceName}`,
      }
    );
    // App Mesh Gateways and Virtual Nodes can only use PCA or file-backed certificates
    (serviceCertificate.node
      .defaultChild as cdk.CfnResource).addPropertyOverride(
      "CertificateAuthorityArn",
      CertificateAuthorityArn
    );

What did you expect to happen?

What actually happened?

Environment

  • CLI Version : 1.61.1
  • Framework Version: 1.61.1
  • Node.js Version: 12.18.1
  • OS : MacOS Catalina
  • Language (Version): TypeScript

This is 🐛 Bug Report
@otterley otterley added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 31, 2020
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Aug 31, 2020
@otterley
Copy link
Contributor Author

otterley commented Aug 31, 2020
edited

Additionally, if a tokens are not used in the code, CDK nevertheless will auto-inject domain validation properties which can fail textual validation if the domain name does not have a dot in it.

Example:

"ServiceCertificateXXXXX": {
      "Type": "AWS::CertificateManager::Certificate",
      "Properties": {
        "DomainName": "app.test",
        "CertificateAuthorityArn": "arn:aws:acm-pca:us-east-2:xxxxxx:certificate-authority/xxxxxx",
        "DomainValidationOptions": [
          {
            "DomainName": "app.test",
            "ValidationDomain": "test"
          }
        ],
        "ValidationMethod": "EMAIL"
      },
      "Metadata": {
        "aws:cdk:path": "xxxxx"
      }
    },

The DomainValidationOptions property should be omitted if the certificate is issued by PCA.

@njlynch
Copy link
Contributor

njlynch commented Sep 1, 2020

Thanks for the report, @otterley.

At this time, the Certificate construct doesn't support PCAs, which is why you're needing to resort to escape hatches and encountering errors. I'm going to re-tag this as a feature request to track that support.

In the meantime, I'd suggest just using the underlying CfnCertificate directly, as the Certificate class isn't buying you much without the domain validation.

new CfnCertificate(this, 'ServiceCertificate', {
  certificateAuthorityArn: 'arn:aws:acm-pca:us-east-2:xxxxxx:certificate-authority/xxxxxx',
  domainName: `${sdService.serviceName}.${namespace.namespaceName}`,
});

@njlynch njlynch added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 1, 2020
@jumic jumic mentioned this issue Sep 1, 2021
Merged
@mergify mergify bot closed this as completed in #16315 Nov 1, 2021
mergify bot pushed a commit that referenced this issue Nov 1, 2021
@jumic
feat(certificatemanager): requesting private certificates issued by P…
e26f5be 
…rivate Certificate Authority (#16315)

Support requesting private certificates issued by Private Certificate Authority. 

Similar to the existing construct named `Certificate`, a new construct `PrivateCertificate` was introduced. There are two main differences between them. `PrivateCertificate` has an additional property `certificateAuthority` to specify the Private certificate authority (CA) that will be used to issue the certificate. The validation options are removed because no validation is necessary for private certificates.

Closes #10076.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Nov 1, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@jumic @TikiTDO
feat(certificatemanager): requesting private certificates issued by P…
0dc73f6 
…rivate Certificate Authority (aws#16315)

Support requesting private certificates issued by Private Certificate Authority. 

Similar to the existing construct named `Certificate`, a new construct `PrivateCertificate` was introduced. There are two main differences between them. `PrivateCertificate` has an additional property `certificateAuthority` to specify the Private certificate authority (CA) that will be used to issue the certificate. The validation options are removed because no validation is necessary for private certificates.

Closes aws#10076.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
2 participants
@otterley @njlynch