Reputation: 41665
AWS certificate renewal failed, problem trying to update CNAME records
I received an email from AWS:
To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below
So I went to https://ap-northeast-2.console.aws.amazon.com/acm/ and grabbed the CNAME and tried to create a CNAME record in route-53
It fails with message
[RRSet of type CNAME with DNS name example.kr. is not permitted at apex in zone example.kr.]
I have a A record for example.kr which I created by following directions in https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
RRSet of type CNAME with DNS name foo.com. is not permitted at apex in zone bar.com says I'm getting the error message because I have SOA record for the domain, I have no idea why I have this record, and if I need it or not.
Can I simply delete SOA record and proceed or should I take different steps?
Upvotes: 2
Views: 985
Answers (2)
Reputation: 319
You need to go to AWS Certificate Manager and select list certificates, select the certificate in need of renewal. Under Domains click the button "Create records in Route 53". This takes you to a new page where you click "Create Records".
It typically takes DNS 30 minutes to propagate the record, and it might take several hours for Amazon to validate it and issue the certificate.
You can also check this blog post for more info.
Upvotes: 0
Reputation: 35146
It seems to me that the error you're seeing is because you're setting a CNAME on your root record (referred to as Apex record). This should be an A record (or Alias record in Route 53 when possible).
For validating your certificate via CNAME you will be given both a CNAME record and a value.
The CNAME record should start with an underscore followed by a large hash such as
_a79865eb4cd1a6ab990a45779b4e0b96.yourdomain.com.
If using Route 53 you should only need to enter _a79865eb4cd1a6ab990a45779b4e0b96 as the domain name of type CNAME
You would then have a value similar to _x2.acm-validations.aws.. This would need to be your value.
Upvotes: 1
Related Questions
- Certificate with DNS Validation is stuck in Pending Validation
- AWS Route53 A record to external ip, Certificate is Ineligible
- My domain is pending validation in AWS Certificate Manager
- AWS SSL Certificate renewal issue
- Route53 for AWS Elastic Search Domain gives certificate error
- AWS HTTPS Certification not working more than 48 hours dns update
- Certificate failing on Load Balancer
- SSL certificates not working (AWS Route 53)
- CNAME to AWS Service - Browser Not Accepting Certificate
- Failure: DNS resolution failed: DNS response error code NXDOMAIN on AWS Route53