'Unable to get AWS CDK ACM DNS Validated certificate to create
I seem to be unable to get an ACM DNS Validated certificate (aws-cdk 2.23.0
, 2.24.0
) to validate for a .info
domain. It times out every time. I'm pretty sure I used this same code a few months ago successfully. I'm wondering if something has changed?
const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
zoneName: 'mydomain.info',
hostedZoneId: 'Z0xxxxxxxxx',
});
const certificate = new Certificate(this, 'certificate', {
domainName: 'mydomain.info',
validation: CertificateValidation.fromDns(zone),
});
// I've also tried:
const certificate = new DnsValidatedCertificate(this, 'certificate', {
domainName: 'mydomain.info',
hostedZone: zone,
});
The error I get from CDK is:
Received response status [FAILED] from custom resource. Message returned: Resource is not in the state certificateValidated (RequestId: .....)
Which I'm guessing is because validation is timing out.
I can see the validation record has been created in the hosted zone:
_c66d3e7c05fac89b27b619c84677ebb5.mydomain.info CNAME Simple - _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.
I'm not sure how to work out why validation is failing.
Solution 1:[1]
This code is exactly what you need, you're right:
const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
zoneName: 'mydomain.info',
hostedZoneId: 'Z0xxxxxxxxx',
});
const certificate = new DnsValidatedCertificate(this, 'certificate', {
domainName: 'mydomain.info',
hostedZone: zone,
});
- The record being created means that your Route53 Zone has been found.
- The validation failing means that your domain's public DNS does not show this record
My guess is that you created your Route53 Zone, without changing your domain's NS records. You can manually check it:
host -t CNAME _c66d3e7c05fac89b27b619c84677ebb5.mydomain.info
# Should output this:
# _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.
If you've got a "Host not found" error, bingo!
Retrieve your Route53 Zone name servers (there should have 4 or them, looking like ns-*.awsdns-*.*
), you can find them easily on the top of the zone detail page.
In mydomain.info
original zone (where you registered the domain), put this name servers list in an NS
record, and retry your ACM Certificate creation. You can check if the delegation is effective with the following command:
$ host -t NS mydomain.info
# mydomain.info name server ns-123.awsdns-01.net.
# mydomain.info name server ns-45.awsdns-23.co.uk.
# mydomain.info name server ns-67.awsdns-45.com.
# mydomain.info name server ns-89.awsdns-67.org.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | zessx |