copilot-cli: copilot app init --domain followed by copilot init fails due to HTTPSCert

Hi @lexicalunit!

Hopefully I can help. Focusing on getting the Copilot ACM automation. It’s likely that your CAA record is causing the issues. If you have not modified it, that’s the root cause.

Perform the following:

1. (AWS) Create a public hosted zone for aws.spellbot.io.
2. (Parent zone registrar) Take the 4 name server hosts and create NS records in the parent zone spellbot.io

Ref A

Additionally, you will need to have a proper CA authorization record (CAA). They are hierarchical. CAs will search the most specific subdomain for authorization first (aws.spellbot.io, then spellbot.io) This shows that you have only authorized letsencrypt.org for your entire domain hierarchy. To ensure AWS ACM can issue certificates, you can do one of the following:

1. Add to the current CAA record in your parent domain. It looks like you could click Add Parameter in the DNS-CAA UI.
2. Create a new CAA record in your aws.spellbot.io subdomain. This allows you to restrict ACM to only issue certificates for the aws.spellbot.io subdomain.

Refs A B

You will need to add this data into either CAA record:

0 issue "amazon.com"
0 issue "amazontrust.com"
0 issue "awstrust.com"
0 issue "amazonaws.com"

If you do option # 2, it should look like this:

After that you should be able to begin to use Copilot.

# The following will create a new Route53 hosted zone of ${AppName}.${DomainName}
copilot app init --domain aws.spellbot.io

# If you elect to deploy as part of the `copilot svc init`,
# a 'test' environment will be created, and
# a new Route53 hosted zone of test.${AppName}.${DomainName} will be created.
#
# Next an ACM certificate *request* will be created for
# test.${AppName}.${DomainName} and *.test.${AppName}.${DomainName}.
#
# The ACM DNS validation records (CNAMEs) will be automatically added to the test.${AppName}.${DomainName}
# Route53 hosted zone.
copilot svc init

The AWS ACM console will show you the status of the certificate issuance.

I’d done everything except for step 4 there, maybe that was the issue?

@efekarakus yeah definitely got that message. What I learned, and I guess I should have known by now, is that even though you pass a root hosted zone, copilot will not when using an alias create more than a single hosted zone off of that. If your root is example.com, you can’t set an alias like api.appName.example.com as appName.example.com doesn’t exist or may not be owned by copilot. We temporarily renamed to appName-api.example.com to get around for the moment.

There is also another alternative for getting https://aws.spellbot.io to work with Copilot: https://aws.github.io/copilot-cli/docs/developing/domain/#use-domain-in-your-existing-validated-certificates

So you can keep your existing, and navigate to AWS Certificate Manager to create a certificate for aws.spellbot.io. Then in your environment manifest, you can add the certificate to the load balancer: https://aws.github.io/copilot-cli/docs/manifest/environment/#http-public-certificates Then you can point to the aws.spellbot.io domain to the load balancer and it should work! However, the tradeoff is that it’s a lot more steps than the --domain flag

This is ultimately what I did 👍🏻

Which region are you deploying in? ACM certificate validation can sometimes take a long time, and we have a timeout for the Lambda function that creates the certificate for 15 mins 💭 .

I’ve been trying us-east-1. It does seem like it takes about 15 minutes for the error to occur.

Which region are you deploying in? ACM certificate validation can sometimes take a long time, and we have a timeout for the Lambda function that creates the certificate for 15 mins 💭 .

I wonder if we are running into a timeout issue 😢 if so I think the safest bet would be to not use --domain flag, create the ACM certificate separately, and update the environment manifest to use the ACM certificate.