'Unable to get AWS CDK ACM DNS Validated certificate to create

I seem to be unable to get an ACM DNS Validated certificate (aws-cdk 2.23.0, 2.24.0) to validate for a .info domain. It times out every time. I'm pretty sure I used this same code a few months ago successfully. I'm wondering if something has changed?

const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
  zoneName: 'mydomain.info',
  hostedZoneId: 'Z0xxxxxxxxx',
});

const certificate = new Certificate(this, 'certificate', {
  domainName: 'mydomain.info',
  validation: CertificateValidation.fromDns(zone),
});

// I've also tried:
const certificate = new DnsValidatedCertificate(this, 'certificate', {
  domainName: 'mydomain.info',
  hostedZone: zone,
});

The error I get from CDK is:

Received response status [FAILED] from custom resource. Message returned: Resource is not in the state certificateValidated (RequestId: .....)

Which I'm guessing is because validation is timing out.

I can see the validation record has been created in the hosted zone:

_c66d3e7c05fac89b27b619c84677ebb5.mydomain.info CNAME   Simple  -   _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.

I'm not sure how to work out why validation is failing.

aws-cdkaws-certificate-manager


Solution 1:[1]

This code is exactly what you need, you're right:

const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
  zoneName: 'mydomain.info',
  hostedZoneId: 'Z0xxxxxxxxx',
});

const certificate = new DnsValidatedCertificate(this, 'certificate', {
  domainName: 'mydomain.info',
  hostedZone: zone,
});
  1. The record being created means that your Route53 Zone has been found.
  2. The validation failing means that your domain's public DNS does not show this record

My guess is that you created your Route53 Zone, without changing your domain's NS records. You can manually check it:

host -t CNAME _c66d3e7c05fac89b27b619c84677ebb5.mydomain.info
# Should output this:
# _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.

If you've got a "Host not found" error, bingo!

Retrieve your Route53 Zone name servers (there should have 4 or them, looking like ns-*.awsdns-*.*), you can find them easily on the top of the zone detail page.

In mydomain.info original zone (where you registered the domain), put this name servers list in an NS record, and retry your ACM Certificate creation. You can check if the delegation is effective with the following command:

$ host -t NS mydomain.info
# mydomain.info name server ns-123.awsdns-01.net.
# mydomain.info name server ns-45.awsdns-23.co.uk.
# mydomain.info name server ns-67.awsdns-45.com.
# mydomain.info name server ns-89.awsdns-67.org.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 zessx

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function