CODEWITHSUNDEEP
amazon-web-servicesaws-cdkaws-certificate-manager
David Carboni
David Carboni

Reputation: 2156

Unable to get AWS CDK ACM DNS Validated certificate to create

I seem to be unable to get an ACM DNS Validated certificate (aws-cdk 2.23.0, 2.24.0) to validate for a .info domain. It times out every time. I'm pretty sure I used this same code a few months ago successfully. I'm wondering if something has changed?

const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
  zoneName: 'mydomain.info',
  hostedZoneId: 'Z0xxxxxxxxx',
});

const certificate = new Certificate(this, 'certificate', {
  domainName: 'mydomain.info',
  validation: CertificateValidation.fromDns(zone),
});

// I've also tried:
const certificate = new DnsValidatedCertificate(this, 'certificate', {
  domainName: 'mydomain.info',
  hostedZone: zone,
});

The error I get from CDK is:

Received response status [FAILED] from custom resource. Message returned: Resource is not in the state certificateValidated (RequestId: .....)

Which I'm guessing is because validation is timing out.

I can see the validation record has been created in the hosted zone:

_c66d3e7c05fac89b27b619c84677ebb5.mydomain.info CNAME   Simple  -   _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.

I'm not sure how to work out why validation is failing.

Upvotes: 1

Views: 4085

Answers (3)

Quant Freedom 1022
Quant Freedom 1022

Reputation: 19

I have finally figured out how to actually do this ... i am using cdk 2.128.0

This actually works because i am in ca-central-1 and i was able to do it in one stack and created a us-east-1 cert

you can checkout the github code here https://github.com/quantfreedom/aws_cdk_testing/blob/main/amazon_cdk/frontend/www.py

if that doesn't work here is a gist of the current working version https://gist.github.com/quantfreedom/e71267553edc8e0760e88d48ad8b45a7

I watched this youtube video to get an understanding of what is going on and why i am doing the things i am doing https://www.youtube.com/watch?v=p6Os-_t0gEs

and here is their gh code https://github.com/Durgaprasad-Budhwani/hands-on-aws-cdk-lab/blob/main/ts/cloudfront/lib/cloudfront-stack.ts

also here is a link to my github repo where i am just testing out different aws stacks https://github.com/quantfreedom/aws_cdk_testing/tree/main

Upvotes: 0

Bill_BsB
Bill_BsB

Reputation: 314

Here's an updated code snippet taken from GitHub

import * as route53 from 'aws-cdk-lib/aws-route53';
import * as acm from 'aws-cdk-lib/aws-certificatemanager';

// Look up hosted zone
const hostedZone = route53.HostedZone.fromLookup(stack, 'HostedZone', {
  domainName: 'acme.com'
});

// Creates new certificate for Hosted Zone with sub-domain
const certificate = new acm.Certificate(this, 'Certificate', {
  domainName: 'dev.acme.com',  
  validation: acm.CertificateValidation.fromDns(hostedZone)
});

And here is more info: https://github.com/aws/aws-cdk/issues/2914#issuecomment-958813224

Upvotes: 0

zessx
zessx

Reputation: 68790

ℹ️ DnsValidateCertificate is deprecated since 2.62.0. You should now use the Certificate class. For cross-region certificates (where you define the region, for example with CloudFront certificates that HAVE to be in us-east-1, have a look on this example.

This code is exactly what you need, you're right:

const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
  zoneName: 'mydomain.info',
  hostedZoneId: 'Z0xxxxxxxxx',
});

const certificate = new DnsValidatedCertificate(this, 'certificate', {
  domainName: 'mydomain.info',
  hostedZone: zone,
});
  1. The record being created means that your Route53 Zone has been found.
  2. The validation failing means that your domain's public DNS does not show this record

My guess is that you created your Route53 Zone, without changing your domain's NS records. You can manually check it:

host -t CNAME _c66d3e7c05fac89b27b619c84677ebb5.mydomain.info
# Should output this:
# _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.

If you've got a "Host not found" error, bingo!

Retrieve your Route53 Zone name servers (there should have 4 or them, looking like ns-*.awsdns-*.*), you can find them easily on the top of the zone detail page.

In mydomain.info original zone (where you registered the domain), put this name servers list in an NS record, and retry your ACM Certificate creation. You can check if the delegation is effective with the following command:

$ host -t NS mydomain.info
# mydomain.info name server ns-123.awsdns-01.net.
# mydomain.info name server ns-45.awsdns-23.co.uk.
# mydomain.info name server ns-67.awsdns-45.com.
# mydomain.info name server ns-89.awsdns-67.org.

Upvotes: 4

Related Questions