2

I have a google managed domain, and a lambda based api in aws api gateway. I want to create a sub domain that points to api gateway.

I created an ACM Certificate using aws certificate manager. This included creating CNAME credentials, which were imported into my google domain. AWS performed the handshake and validate the credentials.

I then created a custom domain in aws api gateway. I named it the same as the acm certificate's domain, api.coopstools.com, and attached it to the acm certificate. I then added the base path mapping to the API I created in lambda.

(as a side note, I can hit and use the API using the default url that is provided when I staged the API, so I know it's up and running)

I did this all more than 24 hours ago (knowing that it sometimes takes a while).

I've tried hitting the endpoint to no avail, just receiving a "Could not resolve host: ..." message.

The dig result shows that the core domain has authority, but none of the subdomain show up.

Am I missing a piece in here? Or, are there any specific pieces of information needed to help me?

Thanks for any help,

P.S. I apologize for not giving more specific details as I still haven't figured out some of the security settings, and don't want to over expose anything.

EDIT: The issue was fixed thanks to @Joseph. All I had to due was the take the Target Domain Name from the custom domain in api gateway, and use it to create a new CNAME entry in the Custom Resource Records of Google Domains (the same place I put the original CNAME for creating the ACM certificate). It took about a minute and a half for everything to update.

JRogerC
  • 123
  • 5

1 Answers1

3

It sounds like you need another CNAME record pointing at your default API gateway domain. So for instance, if your custom domain is my.domain.com, you need to add a CNAME to my.domain.com that points to abcdefg.execute-api.us-east-1.amazonaws.com or whatever your API gateway domain currently is.

This is separate from the CNAME you already added, because that one was just to verify your ownership of the domain in question. With ACM, the verification CNAME sits on a subdomain of the domain you're verifying, so if you're verifying my.domain.com then the CNAME goes on e.g. _abcdef123456.my.domain.com. Which, obviously, doesn't help people who are trying to look up the address of my.domain.com.

Joseph Montanaro
  • 518
  • 4
  • 13
  • Just to clarify, what had already been done: 1) Created a certificate using AWS Certificate manager 2) Created a custom domain in the API gateway, imported the certificate, AND defined at least 1 API mapping 3) Added a CNAME entry in Google Domains where name was the subdomain name (e.g. `my` for `my.domain.com`) and data was something like `asdf.execute-api..amazonaws.com.` Basically the invoke url without `https` but with a `.` at the end. The final step they forgot was to add a second CNAME entry for the certificate. – Jimbo Jan 07 '21 at 22:26
  • See also: https://docs.aws.amazon.com/amplify/latest/userguide/to-add-a-custom-domain-managed-by-google-domains.html It is for `amplify` but it shows the entries needed. – Jimbo Jan 07 '21 at 22:27
  • Finally, there are currently some restrictions on certificate region. If you are using a `HTTP API` (cheaper) you have to use a regional endpoint type and your certificate region has to match your API region. If you are using `REST API` you can choose `regional` or `edge` endpoint. If you want a `edge` endpoint then your certificate region has to be `us-east-1` https://aws.amazon.com/premiumsupport/knowledge-center/custom-domain-name-amazon-api-gateway/ And as always, these rules may change tomorrow ... – Jimbo Jan 07 '21 at 22:32