4

I am using Window Server 2019 for DNS management.

I have created a public SSL certificate for domain *.example.mydomain.hk in AWS Certificate Manager(ACM)

After that, I add The DNS configuration for the SSL cert.

Below image is get from online. My setting:

Alias name: _66fxxxxxxxxx(auto generated after entering Full qualified domain name)
Full qualified domain name: _66fxxxxxxxxx.example.mydomain.hk
Fully qualified domain name for target host: _3ddxxxxxxxx.abcde.acm-validations.aws.

[![enter image description here][1]][1] But error occur in ACM and the status become failed

The status of this certificate request is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error.

When I `dig _66fxxxxxxxxx.example.mydomain.hk`, it shows:

; <<>> DiG 9.10.6 <<>> _66fxxxxxxxxx.example.mydomain.hk. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_66fxxxxxxxxx.example.mydomain.hk. IN A

;; ANSWER SECTION: _66fxxxxxxxxx.example.mydomain.hk. 3599 IN CNAME _3ddxxxxxxxx.abcde.acm-validations.aws.

;; AUTHORITY SECTION: abcde.acm-validations.aws. 899 IN SOA ns-75.awsdns-09.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

...

How should I solve this issue?

  [1]: https://i.stack.imgur.com/ohEdu.png
TylerH
  • 20,799
  • 66
  • 75
  • 101
CCCC
  • 5,665
  • 4
  • 41
  • 88
  • There are [CAA records](https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization) in the DNS which define a policy about which CA is allowed to issue certificates within this specific domain. The one you use is not allowed to do this and therefore it fails. – Steffen Ullrich Jul 21 '21 at 02:07
  • @Steffen Ullrich How can I find it? – CCCC Jul 21 '21 at 02:09
  • See the linked reference to Wikipedia which also contains information on how these CAA records look like. Use the DNS lookup tool of your choice - which need to be able to look up arbitrary records though (or at least CAA), i.e. `dig CAA mydomain.hk` – Steffen Ullrich Jul 21 '21 at 02:37
  • Also your CA should be able to help you and diagnose the issue, did you ask them? Besides, your question is offtopic here as not related to programming. – Patrick Mevzek Jul 21 '21 at 03:50

4 Answers4

7

Finally added a CAA Record for *.example.mydomain.hk and works now.

*.example.mydomain.hk  IN  CAA 0 issue "amazon.com"
CCCC
  • 5,665
  • 4
  • 41
  • 88
2

I have faced a similar issue when migrating my nextjs app from vercel to AWS amplify.

In this case, vercel CNAME records add CAA records from their en

enter image description here

  • I deleted vercel's CNAME record and this issue got resolved
  • I didn't need a CAA record for amazon.com
rjvim
  • 170
  • 13
1

In my case, I have requested both example.com and *.example.com certificates through ACM.

I had to setup the following to make it work.

CAA example.com 0 issue amazon.com
CAA example.com 0 issuewild amazon.com

DO NOT USE *.example.com to setup CAA for the wildcard domain, you just need to add the main domain and issuewild tag.

MudithaE
  • 577
  • 5
  • 6
0

For me, I was running into the same issue for one of my domains when I would attempt to create ACM cert and validate through DNS.

I needed to add a CAA record in route53 and set the value to 0 issue "amazon.com" and this allowed DNS validation for the ACM cert to pass for my record in R53

Gorgon_Union
  • 563
  • 2
  • 8
  • 24