Allow to choose certificate to use to avoid error "Could not find any matching SSL certificate"

[kenden]

When running 'senza create...', Senza asks which domain to use for the stack. It then fails because there is no certificate matching that exact domain name.

Can Senza ask which certificate to use, if none matching the domain name is found?

Repro steps:

Create configuration (command from documentation):

senza init myapp.yaml --region "eu-west-1"
Please select the project template
1) bgapp: Background app with single EC2 instance
2) postgresapp: HA Postgres app, which needs an S3 bucket to store WAL files
3) rediscluster: Elasticache cluster running multiple redis nodes, with replication / HA
4) redisnode: Elasticache node running redis, without replication / HA (for caching)
5) webapp: HTTP app with auto scaling, ELB and DNS
Please select (1-5) [5]:
Application ID [hello-world]:
Docker image without tag/version (e.g. "pierone.example.org/myteam/myapp") [stups/hello-world]:
HTTP port [8080]:
HTTP health check path [/]:
EC2 instance type [t2.micro]:
Did you need OAuth-Credentials from Mint? [y/N]:
Please select the load balancer scheme
1) internal: only accessible from the own VPC
2) internet-facing: accessible from the public internet
Please select (1-2) [1]:
Checking security group app-hello-world.. OK
Checking security group app-hello-world-lb.. OK
Checking IAM role app-hello-world.. OK
Generating Senza definition file myapp.yaml.. OK

Create stack from configuration (command from documentation):

senza create myapp.yaml 1 0.1 --region "eu-west-1"
Generating Cloud Formation template..Please select the domain
1) mywebsite.at
2) mywebsite.be
3) mywebsite.ch
4) mywebsite.com
5) mywebsite.de
6) mywebsite.es
7) mywebsite.fr
8) mywebsite.it
Please select (1-8): 4
Could not find any matching SSL certificate for "mywebsite-com"

Note: in AWS, we do not have one certificate for every domain, we have the following certs: (from 'aws iam list-server-certificates':)

• mywebsite.at.2016 (used for mywebsite.at, mywebsite.fr)
• mywebsite.com.2016 (used for mywebsite.be, mywebsite.ch, mywebsite.com, mywebsite.de, mywebsite.es, mywebsite.it)

Is there a way to specify which certificate to use per domain?

[hjacobs]

@kenden you can configure the certificate and domain in the Senza definition: http://docs.stups.io/en/latest/components/senza.html#senza-weighteddnselasticloadbalancer

[kenden]

@hjacobs Thank you, that helps. I have to have 2 yml files then, one per certificate?

Since Senza asks for the domain, would it make sense that it asks for the certificate if

• no certificate was specified in the .yml file
• it doesn't find one matching the domain name.

[elgalu]

You can still have only 1 yaml file by using senza Parameters:

SenzaInfo:
  StackName: mywebsite
  Parameters:
    - DomainTLD:
        Description: "Top level domain to deploy to"
    - CertTLD:
        Description: "Certificate TLD to use for the domain"
# ...
- AppLoadBalancer:
    Type: Senza::WeightedDnsElasticLoadBalancer
    HTTPPort: 443
    HealthCheckPath: /
    SecurityGroups:
      - app-mywebsite-lb
    Scheme: internet-facing
    MainDomain: mywebsite.{{Arguments.DomainTLD}}
    VersionDomain: mywebsite-{{SenzaInfo.StackVersion}}.{{Arguments.DomainTLD}}
    SSLCertificateId: mywebsite.{{Arguments.CertTLD}}.2016

And pass in arguments to senza create:

# e.g. to deploy to mywebsite.at using certificate mywebsite.at.2016
senza create myapp.yaml 1 0.1 --region "eu-west-1" DomainTLD=at CertTLD=at

# e.g. to deploy to mywebsite.fr using certificate mywebsite.at.2016
senza create myapp.yaml 1 0.1 --region "eu-west-1" DomainTLD=fr CertTLD=at

# e.g. to deploy to mywebsite.de using certificate mywebsite.com.2016
senza create myapp.yaml 1 0.1 --region "eu-west-1" DomainTLD=de CertTLD=com

To avoid remembering the correct combinations you can use a Makefile to keep that logic there.