https://pulumi.com logo
Title
v

victorious-car-86108

11/04/2020, 1:57 PM
👋 Hey, I'm following the tutorial for "Configuring AWS API Gateway Custom Domains and SSL using Route53 and ACM" but am receiving the following error after a timeout:
Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
. I've downgraded to Pulumi 2.11.2 with no success. A few issues I've stumbled across: Terraform, interface {} is string, not int, deletion of ACM Certificate.
Any ideas on how to get this running would be much appreciated 🙂
w

witty-candle-66007

11/04/2020, 2:10 PM
@victorious-car-86108 Here is a working example based on that tutorial: https://github.com/MitchellGerdisch/pulumi_work/blob/main/rt53_zone_cert/index.ts Note that the custom domain can take several minutes before AWS propagates it completely. Let me know if this doesn’t work for you or if you have any other questions.
v

victorious-car-86108

11/04/2020, 3:06 PM
Hey @witty-candle-66007, thanks for the example code. The notable differences are the removal of using
awsUsEast1
and the
dependsOn: sslCertValidationIssued
for the
route53.Record
. However after another long wait I received the same error 😢
Here's what I'm running now:
w

witty-candle-66007

11/04/2020, 3:12 PM
In the AWS console do you see the cert being created and sitting in a pending state? Do you see the DNS cert validation entry? What is the full error you are seeing?
v

victorious-car-86108

11/04/2020, 3:18 PM
Summary of changes from Pulumi dashboard:
** PULUMI ERROR ** 

Changes:
 
    Type                Name    Operation
+-  aws:acm:Certificate sslCert replaced
 
Diagnostics:
 
mitchhuman/project/dev (pulumi:pulumi:Stack)
error: update failed
 
sslCertValidationIssued (aws:acm:CertificateValidation)
error: 1 error occurred:
	* Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

 
Resources:
    +-replaced 1
    19 unchanged
 
Duration: 45m7s

 ** PULUMI ERROR END **
Ah I do now see the certificate in a "Pending Validation" state in ACM which I haven't seen before. I guess I should now just wait for that to become active and re-run?
Okay, the validation details on ACM and the Route 53 CNAME match.
w

witty-candle-66007

11/04/2020, 3:55 PM
Are you saying things are working now? Although, if so, you shouldn’t have to wait and re-run …
v

victorious-car-86108

11/04/2020, 4:25 PM
Sorry to clarify, after running the above code: - I received the above PULUMI ERROR after 45m7s of waiting. - In ACM I now see my certificate as "Pending validation". - The CNAME ACM would like me to add has been added to a record in the newly created hosted zone. Unsure of my next steps other than waiting to see if it completes validation. But I'm worried Pulumi will now be in a weird state?
w

witty-candle-66007

11/04/2020, 5:11 PM
45m is too long anyway. The whole launch should only take a couple of minutes. I’m pretty sure the root cause of the issue is that the zone that is created is not really your domain and so the certification validation which is using DNS can’t get a response when it queries DNS for the special DNS entry. This page sheds some light on this: https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ So, if you have a domain you own and is already being managed in Route53, then you can use the pattern I shared where I just get the existing zone information and go from there.
If you need to
ctrl-C
out of the pulumi up you can do the following to get things back to a known state: 1.
pulumi refresh -y
- this may throw an error 2.
pulumi stack export | pulumi stack import
this should get things back to a refreshable state 3.
pulumi refiresh -y
this should succeed At this point you can do a
pulumi destroy
to get a clean slate or tinker with your pulumi code and do another
pulumi up
and it will delete/create what it needs
👍 1
a

average-kilobyte-47828

11/04/2020, 9:40 PM
I was about to ask a question about certificates but this thread and the API gateway tutorial will get me going in the right direction.
v

victorious-car-86108

11/05/2020, 12:04 PM
Thanks for your pointers Mitch, I did a bit of digging on the back of this and found that the NS records being set in the Hosted Zone do not match the Name Servers configured in my domain. So I'm now trying to work out how to describe a fix for this in Pulumi.