Seattle

Wow, I feel like I’ve finally had a chance to catch my breath and get a chance to write this blog!

Last month I was incredibly fortunate to be able to attend the AWS Ambassador Summit hosted at the Amazon HQ in Seattle, USA. I managed to wrangle some time and got to stay the weekend before and after the summit, which was a great chance to be a tourist! Some of the notable highlights of this were:

• Seeing the Pike Place markets
• The Seattle Wheel
• Museum of Pop Culture (being a grunge music man, and seeing the Nirvana exhibit and Seattle Heritage was epic!)
• Going up the Space Needle (as someone who is scared of heights, being up high in a building with a rotating centre was fun)
• Glass Museum
• Harbour Boat Cruise (with our authentic local Australian tour guide)
• Green Day and Smashing Pumpkins concert at T-Mobile Arena (unforgettable)

Day 1

Having had a chance for a bit of site seeing already, I was excited for the Day 1 arrival day festivities for Ambassador Summit. This started off with a tour of the Amazon Spheres Buildings in downtown Seattle.

The Spheres are amazing, and are three stories tall, temperature and humidity controlled, and only accessible to Amazon Employees (or registered guests in our case). There are so many exotic plans, and waterfalls indoors. A highlight was the birds nest, which is a basket like (wicker type) structure that overlooks the building and is precariously perched off the end of a walkway. What a spot for a meeting if you ever had the chance!

Into the Management Console of the account:

Step 2

Go to the ACM Service and browse to the certificate in the North Virginia region (as that is where the certificates are all generated via the main AWS Control Plane for CloudFront usage):

Step 3

Click on the Certificate ID, and note the certificate is in the status ‘Pending validation` (to be expected) in this case.

Step 4

Head to the Route 53 service in the console and delete the existing CNAME entry, which matches the one listed in ACM in the above screenshot:

Because the TLS certificate is attached to my CloudFront distribution for my caching and edge routing, you need to disassociate it from the distribution. Go to the CloudFront service in the console, and click on ‘Edit’ in the ‘Settings’ section:

In the ‘Custom SSL Certificates’ section in CloudFront, select ‘none’ to disassociate your certificate and then click save changes (bottom right):

Wait for the change to deploy to your distribution.

Step 5

Head back to the ACM console, and select the certificate, click delete, and then request:

Step 6

In the request screen click, ‘Public Certificate’ and then next. Enter your fully qualified domain name (FQDN) mine is nlittle.com Select ‘DNS Validation’ and click OK:

Step 7

Once the request is complete. The status will be back on ‘pending validation’ as it was in the beginning.

Click on ‘Create Record in Route 53’ to create the required CNAME entries easily. If your domain was with another registrar you can manually create the records there, or you can validate via email too. I like the simple integration with Route 53 as the registrar and DNS host, alongside ACM to manage the TLS certificates.

The default is 300ms on the time to live (TTL) for DNS validation. Give it some time, and refresh. Voila! My certificate is now renewed and is good to go again.

Step 8

Nearly… Don’t forget to add it back to your CloudFront distribution:

Go back to your CloudFront Distribution, ‘Settings’ pane, and ‘Edit’ and you’ll see the certificate ready to attach again. Select this, and click deploy. (Reminder it can take a while to deploy to all the global points of presence, so go grab a beverage of your choice).

Tips, you may want to invalidate your CloudFront distribution to bust the cache and ensure it’s serving up your latest TLS certificate. And we’re done!