In the video between 6:03 and 6:17, Ryan say that, "But when you basically buy a domain through Route 53, or even you don’t have to buy it through route 53, you can buy it through GoDaddy or whatever. You can still have Amazon issue the certificate and it will be automatically renewed." But in the last slide at the end of the video, it states, "SSL Certificates renew automatically, provided you purchased the domain name from Route53 and it’s not for a Route 53 private hosted zone." So which is it, do you need to buy the domain through Route 53 to enable automatic renewal or not?
I think Ryan is correct, but the last slide is incorrect. The last slide should state, "SSL Certificates renew automatically, provided that ACM issued the original certificate and it’s not for a Route 53 private hosted zone."
2 Answers
Interesting.
As always, when in doubt check the doco.
– https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html
Thinking it through:
The Cert is issues for the domain / zone.
When you create the Cert, you need to prove that you own/control the Zone. This does not require it to be an AWS Domain (I have several with different domain authorities).
Once the certificate is issues, renewal is about refreshing the CA authority and issuing new Public key hashes, That is done by the CA not the Zone or DNS.
I will need to research this more to see if I have it right or not 🙂
– circa 2019 https://docs.aws.amazon.com/acm/latest/userguide/acm-ug.pdf
Nothing authoritative. I guess we will each need to test it 😀
Rusty
Moderator
Just wanted to drop some extra points into this!
ACM is happy to work with a Domain name from any registrar, hosted by any DNS service. The only thing you need is to have your domain verified for it to work with Route 53.
In terms of the auto-renewal, as long as your domain is validated, and you’re only using the certificates on AWS native services like CloudFront or Elastic Load Balancers, it will work without an issue. Where the auto-renewal doesn’t work is if you export the certificate from ACM (incurring a cost), and install it directly within an EC2 instance, or something similar. Since ACM doesn’t have the ability to reach that certificate, it can’t be automatically renewed, and instead would have to be done manually.
We’ve left some notes to update the course to this as well; hope this clarifies your queries!