5

I am creating ACM public certificate in AWS organization account using lambda function from master account,

code to create ACM Cert and attach with listener is:

resp_acm = client_acm.request_certificate(
    DomainName='test.example.com',
    ValidationMethod= 'DNS',
)
acm_arn = resp_acm['CertificateArn']

print(acm_arn)

resp_listener = client_elbv.create_listener(
    Certificates=[
        {
            'CertificateArn': acm_arn,
        },
    ],
    DefaultActions=[
        {
            'Type': 'forward',
            'TargetGroupArn': Target_group_arn,
        },
    ],
    LoadBalancerArn=alb_arn,
    Port=443,
    Protocol='HTTPS',
    SslPolicy='ELBSecurityPolicy-2016-08',
)

But I am getting this error:

"errorMessage": "An error occurred (UnsupportedCertificate) when calling the CreateListener operation: The certificate 
'arn:aws:acm:eu-west-2:xxxxxxxxx:certificate/675071212-cdd1-4gg5-9d49-6a89a47eee88' must have a fully-qualified domain name, 
a supported signature, and a supported key size.",

anyone please help. Main domain is in master account and creating certificate for subdomain aws organization cross account.

Naeem
  • 227
  • 3
  • 12
  • I have this problem too - I had initially assumed my code was jumping the gun and returning the certificate before it was issued, so I put a loop in to check for the certificate status to be "issued", but obviously since I'm here in the comments, that didn't work. – Phil Sep 10 '21 at 01:15

1 Answers1

5

I have fixed this issue, after getting ACM cert, you have to validate after some wait time. you can use following code snippet:

acm_arn = resp_acm['CertificateArn']


print(acm_arn)
time.sleep(10)
#describe acm certificate
acm_describe = client_acm.describe_certificate(
CertificateArn=acm_arn
)

name = acm_describe['Certificate']['DomainValidationOptions'][0]['ResourceRecord']['Name']

value = acm_describe['Certificate']['DomainValidationOptions'][0]['ResourceRecord']['Value']

#validating acm certificate using DNS

acm_validation = client_route53.change_resource_record_sets(
    HostedZoneId=HostedZoneID,
    ChangeBatch={
        'Comment': 'DNS Validation',
        'Changes': [
            {
                'Action': 'CREATE',
                'ResourceRecordSet': {
                    'Name': name,
                    'Type': 'CNAME',
                    'TTL': 1800,
                    'ResourceRecords': [
                        {
                            'Value': value
                        },
                    ],
                }
            },
        ]
    }
)

#waiting for acm to get validated using dns
waiter = client_acm.get_waiter('certificate_validated')
waiter.wait(
    CertificateArn=acm_arn,
    WaiterConfig={
        'Delay': 15,
        'MaxAttempts': 80
    }
)
time.sleep(10)

hopefully this will solve your prob also.

Naeem
  • 227
  • 3
  • 12
  • Looking very much like arbitrary sleeps are needed, although that waiter config looks handy too. – Phil Sep 13 '21 at 00:10
  • yes, but after waiter it was still giving error. further sleep fixed error – Naeem Sep 13 '21 at 07:37
  • yup, thats consistent with what AWS support told me – Phil Sep 14 '21 at 11:13
  • so, if it helped you can accept the answer – Naeem Sep 15 '21 at 13:01
  • er, the one who asked the question (you!) is the one who accepts the answer. Personally, I haven't had a chance to try the extra sleep, but when I do, if it works, you'll have an up vote from me. (The question already does) – Phil Sep 16 '21 at 01:11