:wave: Hey, I'm following the tutorial for "<Confi...
# aws
👋 Hey, I'm following the tutorial for "Configuring AWS API Gateway Custom Domains and SSL using Route53 and ACM" but am receiving the following error after a timeout:
Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
. I've downgraded to Pulumi 2.11.2 with no success. A few issues I've stumbled across: Terraform, interface {} is string, not int, deletion of ACM Certificate.
Any ideas on how to get this running would be much appreciated 🙂
@victorious-car-86108 Here is a working example based on that tutorial: https://github.com/MitchellGerdisch/pulumi_work/blob/main/rt53_zone_cert/index.ts Note that the custom domain can take several minutes before AWS propagates it completely. Let me know if this doesn’t work for you or if you have any other questions.
Hey @witty-candle-66007, thanks for the example code. The notable differences are the removal of using
and the
dependsOn: sslCertValidationIssued
for the
. However after another long wait I received the same error 😢
Here's what I'm running now:
In the AWS console do you see the cert being created and sitting in a pending state? Do you see the DNS cert validation entry? What is the full error you are seeing?
Summary of changes from Pulumi dashboard:
Copy code

    Type                Name    Operation
+-  aws:acm:Certificate sslCert replaced
mitchhuman/project/dev (pulumi:pulumi:Stack)
error: update failed
sslCertValidationIssued (aws:acm:CertificateValidation)
error: 1 error occurred:
	* Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

    +-replaced 1
    19 unchanged
Duration: 45m7s

Ah I do now see the certificate in a "Pending Validation" state in ACM which I haven't seen before. I guess I should now just wait for that to become active and re-run?
Okay, the validation details on ACM and the Route 53 CNAME match.
Are you saying things are working now? Although, if so, you shouldn’t have to wait and re-run …
Sorry to clarify, after running the above code: - I received the above PULUMI ERROR after 45m7s of waiting. - In ACM I now see my certificate as "Pending validation". - The CNAME ACM would like me to add has been added to a record in the newly created hosted zone. Unsure of my next steps other than waiting to see if it completes validation. But I'm worried Pulumi will now be in a weird state?
45m is too long anyway. The whole launch should only take a couple of minutes. I’m pretty sure the root cause of the issue is that the zone that is created is not really your domain and so the certification validation which is using DNS can’t get a response when it queries DNS for the special DNS entry. This page sheds some light on this: https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ So, if you have a domain you own and is already being managed in Route53, then you can use the pattern I shared where I just get the existing zone information and go from there.
If you need to
out of the pulumi up you can do the following to get things back to a known state: 1.
pulumi refresh -y
- this may throw an error 2.
pulumi stack export | pulumi stack import
this should get things back to a refreshable state 3.
pulumi refiresh -y
this should succeed At this point you can do a
pulumi destroy
to get a clean slate or tinker with your pulumi code and do another
pulumi up
and it will delete/create what it needs
👍 1
I was about to ask a question about certificates but this thread and the API gateway tutorial will get me going in the right direction.
Thanks for your pointers Mitch, I did a bit of digging on the back of this and found that the NS records being set in the Hosted Zone do not match the Name Servers configured in my domain. So I'm now trying to work out how to describe a fix for this in Pulumi.