Reputation: 951
AWS ACM certificate created with terraform can't be validated, domain doesn't have valid NS (?)
I have a domain generated and managed with AWS Route53. This domain has been manually created but the rest of the infrastructure is created using terraform in different regions to avoid the initial FARGATE CPU limit.
The infrastructure is updated using a GitHub action.
I am trying to create dev environment in eu-north-1 but terraform apply failes after 1H+ of **maws_acm_certifi***e_validation.default: Still creating... [***h***5m0s elapsed] with this error:
**m│ **m**mError: **mwaiting for ACM Certifi***e (arn:aws:acm:***:***:certifi***e***7a0***bccb-0c***7-***776-ab9***-***e670b6a38f***) to be issued: timeout while waiting for state to become 'ISSUED' (last state: 'PENDING_VALIDATION', timeout: ***h***5m0s)
**m│
**m│ with aws_acm_certifi***e_validation.default,
**m│ on aws-acm.tf line ***, in resource "aws_acm_certifi***e_validation" "default":
**m│ ***: resource "aws_acm_certifi***e_validation" "default" **m{
**m│
**m╵
**m╷
**m│ **m**mError: **mcreating ELBv*** Listener (arn:aws:elasticloadbalancing:***:***:loadbalancer***app***-legacy-dev-alb***7***e5baa5dab6d3e6): UnsupportedCertifi***e: The certifi***e 'arn:aws:acm:***:***:certifi***e***7a0***bccb-0c***7-***776-ab9***-***e670b6a38f***' must have a fully-qualified domain name, a supported signature, and a supported key size.
**m│ status code: ***00, request id: 3***f5a0e9-c***ac-***fd3-aed0-60ba39***0590***
**m│
**m│ with aws_lb_listener.https_listener,
**m│ on aws-alb.tf line 70, in resource "aws_lb_listener" "https_listener":
**m│ 70: resource "aws_lb_listener" "https_listener" **m{
I think the second error is just related to the first one because the certificate isn't correctly in issued status. It's a little bit hard to read but the error says waiting for ACM Certificate to be issued: timeout while waiting for state to become 'ISSUED' (last state: 'PENDING_VALIDATION', timeout: ...).
This is part of terraform code related to the certificate:
resource "aws_acm_certificate" "default" {
domain_name = var.root_domain_name
subject_alternative_names = ["*.${var.root_domain_name}"]
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "default" {
certificate_arn = aws_acm_certificate.default.arn
validation_record_fqdns = local.validation_record_fqdns
}
resource "aws_route53_record" "default" {
name = "${local.resource_prefix}.${var.root_domain_name}"
type = "CNAME"
zone_id = var.route53_record_zone_id
records = [aws_lb.main.dns_name]
ttl = 60
depends_on = [aws_lb.main]
}
resource "aws_route53_record" "acm_validation" {
name = tolist(aws_acm_certificate.default.domain_validation_options)[0].resource_record_name
type = "CNAME"
zone_id = var.route53_record_zone_id
records = [tolist(aws_acm_certificate.default.domain_validation_options)[0].resource_record_value]
ttl = 300
depends_on = [aws_acm_certificate.default]
}
I tried to add the CNAME record manually and via AWS interface via "Create records in Route 53" button too but the certificate is still in pending.
This is the record entry in Route 53:
Is there a way to trigger again this verification and fix the problem?
UPDATE:
Tried like in the terraform docs but same result.
I am starting to think there's a DNS problem with my domain. The domain should have been registered directly in AWS (I didn't do it) and when I use tools like this (or this) online nslookup and input the domain I am working with I can't get the NS, instead I get them for another domain that my company owns.
Is there something wrong with the domain instead?
Domain info:
Upvotes: 0
Views: 1480
Answers (1)
Reputation: 198
Requests for ACM certificates time out if they are not validated within 72 hours. To correct this condition, open the console, find the record for the certificate, click the checkbox for it, choose Actions, and choose Delete. Then choose Actions and Request a certificate to begin again. For more information, see DNS validation or Email validation. We recommend that you use DNS validation if possible.
Please check this link from the AWS Knowledge center
If the hosted zone is destroyed and re-provisioned, new name server records are associated with the new hosted zone. However, the domain name might still have the previous name server records associated with it.
If AWS Route 53 is used as the domain name registrar, head to Route 53 > Registered domains > ${your-domain-name} > Add or edit name servers and add the newly associated name server records from the hosted zone to the registered domain.
Upvotes: -2
Related Questions
- How to Terraform Create and Validate AWS Certificate
- Terraform - issue with aws_acm_certificate_validation
- aws_acm_certificate seems to have changed its state output possibly due to a provider update- am I doing this wrong?
- Terraform & AWS: ACM Certificate Never Validated
- ACM certificates cross account DNS validation
- Aws_acm_certificate.app_cert.domain_validation_options is a set of object, known only after apply
- AWS ACM certificate not validating
- Missing DNS validation record when using terraform aws_acm_certificate_validation
- ACM won't validate the SSL certificate for my Route53 domain
- Why isn't my AWS ACM certificate validating?