This message was deleted.
# awss
sparse-intern-71089
11/11/2021, 11:53 AMThis message was deleted.
m
miniature-king-36473
11/11/2021, 12:06 PMIt can take a while.
Perhaps a silly question, have you performed the validation steps that are required for the certificate (usually creating DNS records, but may be email)?
l
late-lock-17022
11/11/2021, 12:14 PMYeah, I did.
A DNS Record as well as the cert itself are created beforehand by the same script.
The AWS Console lists the certificate as issued and validated. At least as far as I can see.
late-lock-17022
11/11/2021, 12:16 PMPulumi lists the validation as still creating though.
m
miniature-king-36473
11/11/2021, 12:17 PMhmm - I don't suppose you are creating the cert in a different AWS Region (us-east-1 is required for Cloudfront for example)?
l
late-lock-17022
11/11/2021, 12:18 PMEverything is the same region. It comes from the stack config.
I do not switch regions within the resources. Don’t even know if that is actually possible 🙂
m
miniature-king-36473
11/11/2021, 12:20 PMJust to double check, you have created the DNS records for certificate validation (not just the domain - example is here - https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/#dns-validation-with-route-53
l
late-lock-17022
11/11/2021, 12:21 PMPython code.
Copy code
chipnibbles_com_certificate = aws.acm.Certificate(
"<http://chipnibbles.com|chipnibbles.com>", domain_name="<http://chipnibbles.com|chipnibbles.com>", validation_method="DNS"
)
validation_option = chipnibbles_com_certificate.domain_validation_options[0]
chipnibbles_validation_record = ChipnibblesRecord(
"validation_record",
name=validation_option.resource_record_name,
type=validation_option.resource_record_type,
records=[
validation_option.resource_record_value,
],
)
chipnibbles_cert_validation = aws.acm.CertificateValidation(
"chipnibbles-validation",
certificate_arn=chipnibbles_com_certificate.arn,
validation_record_fqdns=[chipnibbles_validation_record.fqdn],
)late-lock-17022
11/11/2021, 12:21 PMShould be the same. Just without the smarts that are in the example.
late-lock-17022
11/11/2021, 12:26 PMNow I got an error. After about 45 Minutes.
Copy code
aws:acm:CertificateValidation (chipnibbles-validation):
error: 1 error occurred:
* Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATIONm
miniature-king-36473
11/11/2021, 12:27 PMChipnibblesRecord is you own Resource type? Does this have access to the correct DNS Zone? Can you check to see if the record has been created in your DNS?
l
late-lock-17022
11/11/2021, 12:28 PMOh yeah, forgot to mention that. Yes it’s just a subclass of Route53Record with some defaults applied which are overridable.
And yes the record is there.
m
miniature-king-36473
11/11/2021, 12:28 PMworth checking the values match what ACM is showing as required for the certificate?
miniature-king-36473
11/11/2021, 12:30 PMand is your domain "live"?
miniature-king-36473
11/11/2021, 12:31 PMlooks like the nameservers may not be correct - https://intodns.com/chipnibbles.com
l
late-lock-17022
11/11/2021, 12:32 PMI checked again right now. I had another Certificate in us-east-1. From runs before. That’s the validated one. AWS Console somehow changed my region so I sent the wrong picture.
The one I created with the script shows pending validation. The records are correct and there though.
late-lock-17022
11/11/2021, 12:33 PMSo to reitarate.
Cert is created > right DNS Entries are there in route53. Cert validation fails.
I’ll look into the DNS errors. Thanks for your time! 😄
m
miniature-king-36473
11/11/2021, 12:33 PMnp
l
late-lock-17022
11/11/2021, 12:38 PMThats interesting. I use the default NS and SOA entries which were created by AWS for my hosted zones. Perhaps when I destroyed some of the old hosted zones some values are still cached? Hence DNS Fails completely.
It’s always DNS isn’t it. 🤔
27 Views