DNS & SSL Certificate Management (AWS ACM + Hover)

Xonar – DNS & SSL Certificate Management (AWS ACM + Hover)

 

1. Purpose

 

This Knowledge Base documents how DNS and SSL/TLS certificates are managed for Xonar.

SSL certificates are issued and auto-renewed through AWS Certificate Manager (ACM) using DNS validation, with Hover as the DNS provider.

The document highlights administrator responsibilities, critical risks, and recovery steps to prevent certificate expiration and service outages.

 

1. Scope

This KB applies to:

- Xonar production and non-production domains

- DNS management in Hover

- SSL/TLS certificate management in AWS ACM

 

1. Prerequisites & Access Control

DNS access is managed through Hover using generic credentials stored in 1Password.

Because a shared login is used, individual activity is not visible in Hover.

Administrative controls:

- Ensure authorized admins are listed as Administrators in 1Password

- Ensure admins understand the account recovery process

- All access auditing relies on 1Password access logs

 

1. System Overview

Certificate Authority:

AWS Certificate Manager (ACM)

DNS Provider:

Hover (hover.com)

 

Validation Method:

DNS Validation

Xonar SSL certificates are fully managed in AWS and configured for automatic renewal.

 

1. DNS & SSL Architecture Overview

AWS uses DNS-based validation to confirm domain ownership.

Since DNS is hosted on Hover (not Route 53), validation depends on CNAME records created in Hover.

These DNS records do not impact application traffic and exist solely for certificate validation.

 

1. Technical Mechanism – DNS Validation

When a certificate is requested or renewed:

- AWS generates a unique CNAME record

Record Name: AWS-generated token (example: _x1.example.com)

Record Value: AWS validation target (example: _x2.acm-validations.aws)

 

- The CNAME record is manually added to Hover

- AWS queries the record to verify domain ownership

- Successful validation allows certificate issuance or renewal

 

1. Automated Certificate Renewal

AWS automatically attempts to renew certificates approximately 60 days before expiration

Auto-renewal succeeds when:

- The validation CNAME record remains present in Hover

- The certificate is actively in use

 

No manual approval is required if validation records remain unchanged.

Wildcard certificates use a single validation CNAME to cover the base domain and all subdomains.

 

1. Critical Risk Areas

 

High-Risk Activity: DNS Changes

Removing or modifying validation CNAME records will break the auto-renewal process.

Impact:

- Certificate continues to function until expiration

- Auto-renewal fails silently

 

Consequence:

- SSL warnings

- HTTPS failures

- Potential Xonar service outages

 

1. Recovery & Remediation Procedures

 

9.1 New Certificate Creation

 

If renewal fails or a new certificate is required:

 

1. Request a new certificate in AWS Certificate Manager
2. Copy the validation CNAME Name and Value
3. Log in to Hover using credentials from 1Password
4. Add the CNAME record to DNS
5. Wait up to 72 hours for validation to complete

 

9.2 DNS Provider Migration

 

If Xonar DNS is migrated to a new provider:

- All AWS validation CNAME records must be copied exactly

- Missing records will break future auto-renewals

 

1. Admin Guidelines & Best Practices

 

Do:

- Preserve all CNAME records starting with '_' and pointing to acm-validations.aws

- Cross-check unknown DNS records with AWS ACM before removal

 

Do Not:

- Delete or modify validation CNAME records

- Assume unused-looking records are safe to remove

 

1. Key Takeaway

Xonar SSL auto-renewal depends entirely on DNS validation records. As long as validation CNAME entries remain in Hover, AWS will automatically renew certificates.