Generating ACM certificates for a Vercel-managed domain.

When you use Vercel to manage your DNS records, they generate SSL certificates for you.

I want to manage my DNS with Vercel, but still need an ACM Certificate in my AWS account. I've done this before with Route 53, but with Vercel I kept seeing mysterious failures.

After trying Email Validation, I switched to DNS Validation. I still got errors, but this time I got more information:

The status of this certificate request is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error.

After googling around, I found this note:

One or more domain names have failed validation due to a Certification Authority Authentication (CAA) error, check your CAA DNS records..

After going back to my domain in the Vercel dashboard, I found this record:

CAA 0 issue "letsencrypt.org"

Since there is no CAA Record allowing amazon to issue certificates, the request fails.

AWS provides documentation on how to configure a CAA record to allow ACM to generate certs. We need to add an extra record in Vercel:

CAA 0 issue "amazon.com"

Request a new ACM cert and this time it succeeds!

Comments

[Alejandro Corredor]

Thanks for that. That's exactly what I was missing. After going through that and setting the path mappings for your API, did you run into any other issues? I'm still not seeing anything on my custom endpoint. I already added a CNAME record on Vercel's side to also point the domain to the api gateway execution domain.

[Joseph Snell]

I don't recall having any other issues. So you're routing a CNAME record to an API Gateway and when you make a request to it, the api isn't hit?

[Alejandro Corredor]

Nvm, I had missed adding the API gateway CNAME record to Vercel.

[Alejandro Corredor]

I had to do this for another one of my projects months later, and I had forgotten the exact steps to get this working. I asked ChatGPT and he helped me remember:

"How can I use a Vercel managed domain in AWS API Gateway?"

You can use a Vercel managed domain with AWS API Gateway by creating a custom domain name in API Gateway and setting up a DNS record with your DNS provider to point the domain to the API Gateway endpoint.

Here are the steps to do this:

In the API Gateway console, choose Custom Domain Names from the navigation pane.

Choose Create and enter a name for your custom domain.

In the Domain Name field, enter your Vercel managed domain name.

Choose the appropriate protocol and security policy for your API.

In the ACM Certificate ARN field, enter the ARN of the SSL certificate for your domain. This can be obtained from the Vercel console.

Choose Create to create the custom domain.

After the custom domain is created, you will need to set up a DNS record with your DNS provider to point the domain to the API Gateway endpoint. The specific steps for doing this will vary depending on your DNS provider, but generally you will need to create a CNAME record that maps the domain name to the API Gateway endpoint.

For example, if the API Gateway endpoint is my-api.execute-api.us-east-1.amazonaws.com and the domain name is my-domain.com, you would create a CNAME record that maps my-domain.com to my-api.execute-api.us-east-1.amazonaws.com.

Once you have set up the DNS record, it can take some time for the changes to take effect. You can check the status of the custom domain in the API Gateway console to see when it is ready to use.

Posting here so others can benefit.