Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
l
late-lock-17022
11/11/2021, 11:53 AMHi, lovely people.
right now I’m deploying a pulumi stack with a CertificateValidation resource. But it seems stuck on creation. I can’t find anything helpful in the documentation or google.
It looks like that for 15 Minutes already. Is this normal or is something wrong there?
Oh, as sidenote. This is the 5th time already that I’m trying that. Other times I just canceled the process which lead to corrupted state.
Solved:
Yeah, it was completely my fault. Destroyed and rebuilt the hosted zones without considering the NS entries for my domains. Hence AWS assigned some random NS Servers for those domains. DNS settings weren’t right so pulumi was stuck on the validation step. It could not reach the domains to validate the cert. Add in some aws region confusion on my side and you have the problem.
Thanks @miniature-king-36473 for your help 😄
m
miniature-king-36473
11/11/2021, 12:06 PMIt can take a while.
Perhaps a silly question, have you performed the validation steps that are required for the certificate (usually creating DNS records, but may be email)?
l
late-lock-17022
11/11/2021, 12:14 PMYeah, I did.
A DNS Record as well as the cert itself are created beforehand by the same script.
The AWS Console lists the certificate as issued and validated. At least as far as I can see.
Pulumi lists the validation as still creating though.
m
miniature-king-36473
11/11/2021, 12:17 PMhmm - I don't suppose you are creating the cert in a different AWS Region (us-east-1 is required for Cloudfront for example)?
l
late-lock-17022
11/11/2021, 12:18 PMEverything is the same region. It comes from the stack config.
I do not switch regions within the resources. Don’t even know if that is actually possible 🙂
m
miniature-king-36473
11/11/2021, 12:20 PMJust to double check, you have created the DNS records for certificate validation (not just the domain - example is here - https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/#dns-validation-with-route-53
l
late-lock-17022
11/11/2021, 12:21 PMPython code.
chipnibbles_com_certificate = aws.acm.Certificate(
"<http://chipnibbles.com|chipnibbles.com>", domain_name="<http://chipnibbles.com|chipnibbles.com>", validation_method="DNS"
)
validation_option = chipnibbles_com_certificate.domain_validation_options[0]
chipnibbles_validation_record = ChipnibblesRecord(
"validation_record",
name=validation_option.resource_record_name,
type=validation_option.resource_record_type,
records=[
validation_option.resource_record_value,
],
)
chipnibbles_cert_validation = aws.acm.CertificateValidation(
"chipnibbles-validation",
certificate_arn=chipnibbles_com_certificate.arn,
validation_record_fqdns=[chipnibbles_validation_record.fqdn],
)Should be the same. Just without the smarts that are in the example.
Now I got an error. After about 45 Minutes.
aws:acm:CertificateValidation (chipnibbles-validation):
error: 1 error occurred:
* Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATIONm
miniature-king-36473
11/11/2021, 12:27 PMChipnibblesRecord is you own Resource type? Does this have access to the correct DNS Zone? Can you check to see if the record has been created in your DNS?
l
late-lock-17022
11/11/2021, 12:28 PMOh yeah, forgot to mention that. Yes it’s just a subclass of Route53Record with some defaults applied which are overridable.
And yes the record is there.
m
miniature-king-36473
11/11/2021, 12:28 PMworth checking the values match what ACM is showing as required for the certificate?
and is your domain "live"?
looks like the nameservers may not be correct - https://intodns.com/chipnibbles.com
l
late-lock-17022
11/11/2021, 12:32 PMI checked again right now. I had another Certificate in us-east-1. From runs before. That’s the validated one. AWS Console somehow changed my region so I sent the wrong picture.
The one I created with the script shows pending validation. The records are correct and there though.
So to reitarate.
Cert is created > right DNS Entries are there in route53. Cert validation fails.
I’ll look into the DNS errors. Thanks for your time! 😄
m
miniature-king-36473
11/11/2021, 12:33 PMnp
l
late-lock-17022
11/11/2021, 12:38 PMThats interesting. I use the default NS and SOA entries which were created by AWS for my hosted zones. Perhaps when I destroyed some of the old hosted zones some values are still cached? Hence DNS Fails completely.
It’s always DNS isn’t it. 🤔