When you use Vercel to manage your DNS records, they generate SSL certificates for you.
I want to manage my DNS with Vercel, but still need an ACM Certificate in my AWS account. I've done this before with Route 53, but with Vercel I kept seeing mysterious failures.
After trying Email Validation, I switched to DNS Validation. I still got errors, but this time I got more information:
The status of this certificate request is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error
.
After googling around, I found this note:
One or more domain names have failed validation due to a Certification Authority Authentication (CAA) error, check your CAA DNS records.
.
After going back to my domain in the Vercel dashboard, I found this record:
CAA 0 issue "letsencrypt.org"
Since there is no CAA Record allowing amazon to issue certificates, the request fails.
AWS provides documentation on how to configure a CAA record to allow ACM to generate certs. We need to add an extra record in Vercel:
CAA 0 issue "amazon.com"
Request a new ACM cert and this time it succeeds!
Top comments (4)
Thanks for that. That's exactly what I was missing. After going through that and setting the path mappings for your API, did you run into any other issues? I'm still not seeing anything on my custom endpoint. I already added a CNAME record on Vercel's side to also point the domain to the api gateway execution domain.
I don't recall having any other issues. So you're routing a CNAME record to an API Gateway and when you make a request to it, the api isn't hit?
Nvm, I had missed adding the API gateway CNAME record to Vercel.
I had to do this for another one of my projects months later, and I had forgotten the exact steps to get this working. I asked ChatGPT and he helped me remember:
"How can I use a Vercel managed domain in AWS API Gateway?"
You can use a Vercel managed domain with AWS API Gateway by creating a custom domain name in API Gateway and setting up a DNS record with your DNS provider to point the domain to the API Gateway endpoint.
Here are the steps to do this:
For example, if the API Gateway endpoint is my-api.execute-api.us-east-1.amazonaws.com and the domain name is my-domain.com, you would create a CNAME record that maps my-domain.com to my-api.execute-api.us-east-1.amazonaws.com.
Once you have set up the DNS record, it can take some time for the changes to take effect. You can check the status of the custom domain in the API Gateway console to see when it is ready to use.
Posting here so others can benefit.