AWS CloudFormation:编写一个 Lambda 函数来验证 ACM 证书的域所有权
[英]AWS CloudFormation: Writing a Lambda function to verify domain ownership for ACM Certificates
问题描述
I am creating an ACM Cert in CloudFormation.
我正在 CloudFormation 中创建ACM Cert 。 Based on this documentation , AWS sends out an email to the addresses registered in WHOIS.根据此文档,AWS 会向在 WHOIS 中注册的地址发送一封电子邮件。
The docs for CloudFormation say: CloudFormation 的文档说:
Important
When you use the AWS::CertificateManager::Certificate resource in an AWS CloudFormation stack, the stack will remain in the CREATE_IN_PROGRESS state and any further stack operations will be delayed until you act upon the instructions in the certificate validation email.
Usually for similar things, like creating and accepting a VPC peering connection in multiple accounts , or enabling SNS Topic subscriptions that are created in CFN, I write a lambda function as a Custom Resource to handle that.通常对于类似的事情,比如VPC peering connection in multiple accounts创建和接受VPC peering connection in multiple accounts ,或者启用在 CFN 中创建的SNS Topic subscriptions ,我编写一个 lambda 函数作为自定义资源来处理它。
What would be the API calls needed to verify domain ownership?验证域所有权所需的 API 调用是什么? Can this even be done in a Lambda function?这甚至可以在 Lambda 函数中完成吗?
Chances are the emails will go to the IT Manager, but it would be nice to have that automated.电子邮件很有可能会发送给 IT 经理,但如果能自动完成就更好了。
2 个解决方案
解决方案1
1 2017-10-25 19:37:40
There is no API call to verify domain ownership as this need to verified with Email on your whois records.没有 API 调用来验证域所有权,因为这需要使用您的 whois 记录中的电子邮件进行验证。
You can also automate it this way.您也可以通过这种方式使其自动化。 Change the technical contact email address of whois records to an ses domain email address.将 whois 记录的技术联系人电子邮件地址更改为 ses 域电子邮件地址。
SES Email --> S3 Bucket (Trigger) --> Lambda (Confirm with the link in the content of email). SES Email --> S3 Bucket (Trigger) --> Lambda(通过邮件内容中的链接确认)。
You need to revert your email address back to your inbox, incase of any email need to be delivered for Technical contact relating to your domain or subdomain.您需要将您的电子邮件地址恢复到您的收件箱,以防需要向与您的域或子域相关的技术联系人发送任何电子邮件。
Documentation on domain verification:域验证文档:
http://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html http://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html
Thx !谢谢!
解决方案2
0 2021-01-26 18:30:06
This repo aws-cfn-acm contains a CloudFormation template including a Lambda function that works in a similar way to your requirements.此存储库aws-cfn-acm包含一个 CloudFormation 模板,其中包含一个 Lambda 函数,其工作方式与您的要求类似。
The Lambda function automates the certificate validation by the DNS method, not the EMAIL method you are using. Lambda 函数通过DNS方法自动验证证书,而不是您使用的EMAIL方法。 It requires the domain name related to the certificate must be hosted in name.com .它要求与证书相关的域名必须托管在name.com 。 name.com provides an API service that the Lambda functions can leverage on. name.com 提供了 Lambda 函数可以利用的 API 服务。 It should be easy to extend to support other DNS service providers.应该很容易扩展以支持其他 DNS 服务提供商。
The template is using the inline Lambda function, the code is not easy to read, here's a well-formatted version of the Lambda function.模板使用的是内联Lambda函数,代码不太好读,这里是一个格式良好的Lambda函数版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.