Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why isn't my AWS ACM certificate validating?

I have a domain name registered in AWS Route53 with an ACM certificate. I am now attempting to both move that domain name and certificate to a new account as well as manage the resources with Terraform. I used the AWS CLI to move the domain name to the new account and it appears to have worked fine. Then I tried running this Terraform code to create a new certificate and hosted zone for the domain.

resource "aws_acm_certificate" "default" {
  domain_name       = "mydomain.io"
  validation_method = "DNS"
}

resource "aws_route53_zone" "external" {
  name = "mydomain.io"
}

resource "aws_route53_record" "validation" {
  name    = aws_acm_certificate.default.domain_validation_options.0.resource_record_name
  type    = aws_acm_certificate.default.domain_validation_options.0.resource_record_type
  zone_id = aws_route53_zone.external.zone_id
  records = [aws_acm_certificate.default.domain_validation_options.0.resource_record_value]
  ttl     = "60"
}

resource "aws_acm_certificate_validation" "default" {
  certificate_arn = aws_acm_certificate.default.arn
  validation_record_fqdns = [
    aws_route53_record.validation.fqdn,
  ]
}

There are two things that are strange about this. Primarily, the certificate is created but the validation never completes. It's still in Pending validation status. I read somewhere after this failed that you can't auto validate and you need to create the CNAME record manually. So I went into the console and clicked the "add cname to route 53" button. This added the CNAME record appropriately to my new Route53 record that Terraform created. But it's been pending for hours. I've clicked that same button several times, only one CNAME was created, subsequent clicks have no effect.

Another oddity, and perhaps a clue, is that my website is still up and working. I believe this should have broken the website since the domain is now owned by a new account, routing to a different hosted zone on that new account, and has a certificate that's now still pending. However, everything still works as normal. So I think it's possible that the old certificate and hosted zone is effecting this. Do they need to release the domain and do I need to delete that certificate? Deleting the certificate on the old account sounds unnecessary. I should just no longer be given out.

I have not, yet, associated the certificate with Cloudfront or ALB which I intend to do. But since it's not validated, my Terrform code for creating a Cloudfront instance dies.

like image 242
mmachenry Avatar asked Jul 08 '20 23:07

mmachenry


People also ask

How long does it take for ACM to validate?

After you write the DNS record or have ACM write the record for you, it typically takes DNS 30 minutes to propagate the record, and it might take several hours for Amazon to validate it and issue the certificate. During this time, ACM shows the Validation status as Pending validation.

How do I verify an ACM certificate?

ACM credential can be verified by written request (web form, mail or fax) to the ACMA National Office. Inquiries about an individual's credential status will be answered with the category, certification number, validation period and statement of standing.

How do I approve an AWS certificate?

The domain owner or an authorized representative must approve the ACM certificate before it can be issued. The certificate can be approved by clicking a link in the mail to navigate to the Amazon certificate approval website and then clicking I Approve.

How long are ACM certificates valid?

The validity period for ACM certificates is 13 months (395 days). ACM manages the process of renewing ACM certificates and provisioning the certificates after they are renewed.


2 Answers

It turns out that my transferred domain came transferred with a set of name servers, however, the name servers in the Route53 hosted zone were all different. When these are created together through the console, it does the right thing. I'm not sure how to do the right thing here with Terraform, which I'm going to post another question about in the moment. But for now, the solution is to change the name servers on either the hosted zone or the registered domain to match each other.

like image 102
mmachenry Avatar answered Oct 09 '22 12:10

mmachenry


It's working for me

######################

data "aws_route53_zone" "main" {
  name         = var.domain
  private_zone = false
}

locals {
  final_domain = var.wildcard_enable == true ? *.var.domain : var.domain
  # final_domain = "${var.wildcard_enable == true ? "*.${var.domain}" : var.domain}"
}

resource "aws_acm_certificate" "cert" {
  domain_name       = local.final_domain
  validation_method = "DNS"

  tags = {
    "Name" = var.domain
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "cert_validation" {
  depends_on      = [aws_acm_certificate.cert]
  zone_id         = data.aws_route53_zone.main.id
  name            = sort(aws_acm_certificate.cert.domain_validation_options[*].resource_record_name)[0]
  type            = "CNAME"
  ttl             = "300"
  records         = [sort(aws_acm_certificate.cert.domain_validation_options[*].resource_record_value)[0]]
  allow_overwrite = true
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn = aws_acm_certificate.cert.arn
  validation_record_fqdns = [
    aws_route53_record.cert_validation.fqdn
  ]
  timeouts {
    create = "60m"
  }
}
like image 30
Abhishek Jalan Avatar answered Oct 09 '22 11:10

Abhishek Jalan