Skip to main content
Synthetiq serves all traffic over HTTPS and requires two wildcard ACM certificates in your AWS account. They are a prerequisite: issue them before provisioning, through whatever process you normally use for certificates. The CLI never creates them.

What you need

The certificates cover your base domain — the domain in _infra/synthetiq.yaml, under which every app is served (my-app.apps.yourcompany.com). For apps.yourcompany.com:
CertificateCoversRegion
CDN*.apps.yourcompany.com and apps.yourcompany.com (apex)us-east-1 (required by CloudFront)
API*.api.apps.yourcompany.comYour infrastructure region
A wildcard does not cover the bare domain — request the CDN certificate with the apex as an additional name (in ACM: a subject alternative name). A wildcard-only certificate fails verification at generate. Use DNS validation: ACM gives you one CNAME per certificate to create at your DNS provider — see DNS. Issuance completes within minutes of the records appearing, and the records also drive auto-renewal.

Add the ARNs to your config

Once both certificates are ISSUED, get the ARNs into _infra/synthetiq.yaml any of these ways:
  • Run synthetiq infra init with AWS credentials — it discovers issued certificates for the domain automatically.
  • Pass them: synthetiq infra init --cdn-cert-arn <arn> --api-cert-arn <arn> (offline init prompts for them).
  • Edit the certs: block directly.
synthetiq infra generate verifies both at plan time — issued, correct region, covering the required names — and fails with the specific reason if not. If you run init before the certificates exist, it stops and prints what’s needed.

Renewal

ACM auto-renews DNS-validated certificates as long as the validation CNAMEs remain in your DNS, and the ARN never changes. This is one-time setup; you won’t revisit it unless you change your domain.