Overview
During an Aurora upgrade, adding CNAME records for Prod and Stage environments to a SAN (Subject Alternative Name) certificate is required for a successful migration/upgrade.
Depending on your DNS configuration, you may need to create additional TXT or CNAME records in order to allow the addition of the domains to the SAN certificate.
Process
Follow these steps to complete DNS verification for adding CNAMEs to the SAN certificate:
1. Requesting the CNAME Addition
-
Raise a ticket with the support team where you request to add CNAMEs to the SAN certificate.
-
SAN certificate needs to include
ProdandStageenvironments for successful upgrade/migration. -
The support team will intermediate the certificate upgrade with the Infrastructure Team.
2. CNAME/TXT Record for Domain Ownership Verification
-
The Infrastructure Team will prepare the backend for the addition of the domains, and Support will provide you with a CNAME or TXT record that you need to add to your DNS for verification purposes
-
Depending on your DNS provider and configuration, you may need either a CNAME or a TXT record
-
For example, DigiCert supports DNS validation through a CNAME record as an alternative.
-
3. Verify and Complete Certificate Issuance
-
Use DNS lookup tools to confirm the CNAME record is live.
-
Once validated, your DNS provider will issue the SAN certificate including the new domains.
Summary
When DNS configurations prevent the use of TXT records, CNAME-based DNS verification is a valid alternative. By publishing the required CNAME record and coordinating with the DNS team, SAN certificates can be successfully updated during Aurora upgrades.
FAQ
Q1: Why can't a TXT record be used for DNS verification?
A1: Depending on your DNS providerr/configuration, this may conflict with adding a new TXT record, necessitating the use of a CNAME record instead.
Q2: Can DigiCert always accept CNAME records for DCV?
A2: Yes, DigiCert supports DNS-based domain validation via both TXT and CNAME records.
Q3: How long does DNS verification take after publishing the record?
A3: Verification is typically completed within a few minutes after the DNS record propagates, but TTL and caching can affect timing.
Ciprian Nastase
Comments