https://pulumi.com logo
#aws
Title
# aws
l

late-lock-17022

11/11/2021, 11:53 AM
Hi, lovely people. right now I’m deploying a pulumi stack with a CertificateValidation resource. But it seems stuck on creation. I can’t find anything helpful in the documentation or google. It looks like that for 15 Minutes already. Is this normal or is something wrong there? Oh, as sidenote. This is the 5th time already that I’m trying that. Other times I just canceled the process which lead to corrupted state. Solved: Yeah, it was completely my fault. Destroyed and rebuilt the hosted zones without considering the NS entries for my domains. Hence AWS assigned some random NS Servers for those domains. DNS settings weren’t right so pulumi was stuck on the validation step. It could not reach the domains to validate the cert. Add in some aws region confusion on my side and you have the problem. Thanks @miniature-king-36473 for your help 😄
m

miniature-king-36473

11/11/2021, 12:06 PM
It can take a while. Perhaps a silly question, have you performed the validation steps that are required for the certificate (usually creating DNS records, but may be email)?
l

late-lock-17022

11/11/2021, 12:14 PM
Yeah, I did. A DNS Record as well as the cert itself are created beforehand by the same script. The AWS Console lists the certificate as issued and validated. At least as far as I can see.
Pulumi lists the validation as still creating though.
m

miniature-king-36473

11/11/2021, 12:17 PM
hmm - I don't suppose you are creating the cert in a different AWS Region (us-east-1 is required for Cloudfront for example)?
l

late-lock-17022

11/11/2021, 12:18 PM
Everything is the same region. It comes from the stack config. I do not switch regions within the resources. Don’t even know if that is actually possible 🙂
m

miniature-king-36473

11/11/2021, 12:20 PM
Just to double check, you have created the DNS records for certificate validation (not just the domain - example is here - https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/#dns-validation-with-route-53
l

late-lock-17022

11/11/2021, 12:21 PM
Python code.
Copy code
chipnibbles_com_certificate = aws.acm.Certificate(
    "<http://chipnibbles.com|chipnibbles.com>", domain_name="<http://chipnibbles.com|chipnibbles.com>", validation_method="DNS"
)

validation_option = chipnibbles_com_certificate.domain_validation_options[0]
chipnibbles_validation_record = ChipnibblesRecord(
    "validation_record",
    name=validation_option.resource_record_name,
    type=validation_option.resource_record_type,
    records=[
        validation_option.resource_record_value,
    ],
)

chipnibbles_cert_validation = aws.acm.CertificateValidation(
    "chipnibbles-validation",
    certificate_arn=chipnibbles_com_certificate.arn,
    validation_record_fqdns=[chipnibbles_validation_record.fqdn],
)
Should be the same. Just without the smarts that are in the example.
Now I got an error. After about 45 Minutes.
Copy code
aws:acm:CertificateValidation (chipnibbles-validation):
    error: 1 error occurred:
        * Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
m

miniature-king-36473

11/11/2021, 12:27 PM
ChipnibblesRecord is you own Resource type? Does this have access to the correct DNS Zone? Can you check to see if the record has been created in your DNS?
l

late-lock-17022

11/11/2021, 12:28 PM
Oh yeah, forgot to mention that. Yes it’s just a subclass of Route53Record with some defaults applied which are overridable. And yes the record is there.
m

miniature-king-36473

11/11/2021, 12:28 PM
worth checking the values match what ACM is showing as required for the certificate?
and is your domain "live"?
looks like the nameservers may not be correct - https://intodns.com/chipnibbles.com
l

late-lock-17022

11/11/2021, 12:32 PM
I checked again right now. I had another Certificate in us-east-1. From runs before. That’s the validated one. AWS Console somehow changed my region so I sent the wrong picture. The one I created with the script shows pending validation. The records are correct and there though.
So to reitarate. Cert is created > right DNS Entries are there in route53. Cert validation fails. I’ll look into the DNS errors. Thanks for your time! 😄
m

miniature-king-36473

11/11/2021, 12:33 PM
np
l

late-lock-17022

11/11/2021, 12:38 PM
Thats interesting. I use the default NS and SOA entries which were created by AWS for my hosted zones. Perhaps when I destroyed some of the old hosted zones some values are still cached? Hence DNS Fails completely. It’s always DNS isn’t it. 🤔
15 Views