1

I seem to be unable to get an ACM DNS Validated certificate (aws-cdk 2.23.0, 2.24.0) to validate for a .info domain. It times out every time. I'm pretty sure I used this same code a few months ago successfully. I'm wondering if something has changed?

const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
  zoneName: 'mydomain.info',
  hostedZoneId: 'Z0xxxxxxxxx',
});

const certificate = new Certificate(this, 'certificate', {
  domainName: 'mydomain.info',
  validation: CertificateValidation.fromDns(zone),
});

// I've also tried:
const certificate = new DnsValidatedCertificate(this, 'certificate', {
  domainName: 'mydomain.info',
  hostedZone: zone,
});

The error I get from CDK is:

Received response status [FAILED] from custom resource. Message returned: Resource is not in the state certificateValidated (RequestId: .....)

Which I'm guessing is because validation is timing out.

I can see the validation record has been created in the hosted zone:

_c66d3e7c05fac89b27b619c84677ebb5.mydomain.info CNAME   Simple  -   _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.

I'm not sure how to work out why validation is failing.

David Carboni
  • 1,556
  • 23
  • 24

1 Answers1

3

ℹ️ DnsValidateCertificate is deprecated since 2.62.0. You should now use the Certificate class. For cross-region certificates (where you define the region, for example with CloudFront certificates that HAVE to be in us-east-1, have a look on this example.

This code is exactly what you need, you're right:

const zone = HostedZone.fromHostedZoneAttributes(this, 'zone', {
  zoneName: 'mydomain.info',
  hostedZoneId: 'Z0xxxxxxxxx',
});

const certificate = new DnsValidatedCertificate(this, 'certificate', {
  domainName: 'mydomain.info',
  hostedZone: zone,
});
  1. The record being created means that your Route53 Zone has been found.
  2. The validation failing means that your domain's public DNS does not show this record

My guess is that you created your Route53 Zone, without changing your domain's NS records. You can manually check it:

host -t CNAME _c66d3e7c05fac89b27b619c84677ebb5.mydomain.info
# Should output this:
# _7347cc5c453e83adefc9ad849cdeab8e.rdnyqppgxp.acm-validations.aws.

If you've got a "Host not found" error, bingo!

Retrieve your Route53 Zone name servers (there should have 4 or them, looking like ns-*.awsdns-*.*), you can find them easily on the top of the zone detail page.

In mydomain.info original zone (where you registered the domain), put this name servers list in an NS record, and retry your ACM Certificate creation. You can check if the delegation is effective with the following command:

$ host -t NS mydomain.info
# mydomain.info name server ns-123.awsdns-01.net.
# mydomain.info name server ns-45.awsdns-23.co.uk.
# mydomain.info name server ns-67.awsdns-45.com.
# mydomain.info name server ns-89.awsdns-67.org.
zessx
  • 68,042
  • 28
  • 135
  • 158
  • Thank you so much! I can confirm I get `Host ... nor found`. The domain is registered directly with aws and has `ns-nn.awsdns-nn.xxx.` name servers but, interestingly, a `host -t NS mydomain.info` gives me a `Host mydomain.info not found: 3(NXDOMAIN)`. Weirdly `whois mydomain.info` does return the right nameservers. – David Carboni May 13 '22 at 21:05
  • I do get a response if I specify the nameserver explicitly: `dig _9915df0a3417de187c76781643e1b78e.mydomain.info @ns-1486.awsdns-57.org` – David Carboni May 13 '22 at 21:18
  • 1
    I finally figured this out. It turns out it wasn't a DNS problem but a domain registration problem. The domain contact hadn't been validated which meant AWS suspended the domain. I'm retrying the validation process. (leaving this here for future Google searches) – David Carboni May 13 '22 at 21:27
  • 2
    Note that DnsValidatedCertificate is now deprecated: https://github.com/aws/aws-cdk/releases/tag/v2.62.0 – Shorn Jan 27 '23 at 03:23