👋 Hey, I'm following the tutorial for "Configuring AWS API Gateway Custom Domains and SSL using Route53 and ACM" but am receiving the following error after a timeout:

Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

. I've downgraded to Pulumi 2.11.2 with no success. A few issues I've stumbled across: Terraform, interface {} is string, not int, deletion of ACM Certificate.

@victorious-car-86108 Here is a working example based on that tutorial: https://github.com/MitchellGerdisch/pulumi_work/blob/main/rt53_zone_cert/index.ts Note that the custom domain can take several minutes before AWS propagates it completely. Let me know if this doesn’t work for you or if you have any other questions.

Hey @witty-candle-66007, thanks for the example code. The notable differences are the removal of using

awsUsEast1

and the

dependsOn: sslCertValidationIssued

for the

route53.Record

. However after another long wait I received the same error 😢

In the AWS console do you see the cert being created and sitting in a pending state? Do you see the DNS cert validation entry? What is the full error you are seeing?

Summary of changes from Pulumi dashboard:

** PULUMI ERROR ** 

Changes:
 
    Type                Name    Operation
+-  aws:acm:Certificate sslCert replaced
 
Diagnostics:
 
mitchhuman/project/dev (pulumi:pulumi:Stack)
error: update failed
 
sslCertValidationIssued (aws:acm:CertificateValidation)
error: 1 error occurred:
	* Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

 
Resources:
    +-replaced 1
    19 unchanged
 
Duration: 45m7s

 ** PULUMI ERROR END **

Are you saying things are working now? Although, if so, you shouldn’t have to wait and re-run …

Sorry to clarify, after running the above code: - I received the above PULUMI ERROR after 45m7s of waiting. - In ACM I now see my certificate as "Pending validation". - The CNAME ACM would like me to add has been added to a record in the newly created hosted zone. Unsure of my next steps other than waiting to see if it completes validation. But I'm worried Pulumi will now be in a weird state?

45m is too long anyway. The whole launch should only take a couple of minutes. I’m pretty sure the root cause of the issue is that the zone that is created is not really your domain and so the certification validation which is using DNS can’t get a response when it queries DNS for the special DNS entry. This page sheds some light on this: https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ So, if you have a domain you own and is already being managed in Route53, then you can use the pattern I shared where I just get the existing zone information and go from there.

I was about to ask a question about certificates but this thread and the API gateway tutorial will get me going in the right direction.

Thanks for your pointers Mitch, I did a bit of digging on the back of this and found that the NS records being set in the Hosted Zone do not match the Name Servers configured in my domain. So I'm now trying to work out how to describe a fix for this in Pulumi.