Hi, lovely people. right now I’m deploying a pulumi stack with a CertificateValidation resource. But it seems stuck on creation. I can’t find anything helpful in the documentation or google. It looks like that for 15 Minutes already. Is this normal or is something wrong there? Oh, as sidenote. This is the 5th time already that I’m trying that. Other times I just canceled the process which lead to corrupted state. Solved: Yeah, it was completely my fault. Destroyed and rebuilt the hosted zones without considering the NS entries for my domains. Hence AWS assigned some random NS Servers for those domains. DNS settings weren’t right so pulumi was stuck on the validation step. It could not reach the domains to validate the cert. Add in some aws region confusion on my side and you have the problem. Thanks @miniature-king-36473 for your help 😄

It can take a while. Perhaps a silly question, have you performed the validation steps that are required for the certificate (usually creating DNS records, but may be email)?

Yeah, I did. A DNS Record as well as the cert itself are created beforehand by the same script. The AWS Console lists the certificate as issued and validated. At least as far as I can see.

hmm - I don't suppose you are creating the cert in a different AWS Region (us-east-1 is required for Cloudfront for example)?

Everything is the same region. It comes from the stack config. I do not switch regions within the resources. Don’t even know if that is actually possible 🙂

Just to double check, you have created the DNS records for certificate validation (not just the domain - example is here - https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/#dns-validation-with-route-53

Python code.

chipnibbles_com_certificate = aws.acm.Certificate(
    "<http://chipnibbles.com|chipnibbles.com>", domain_name="<http://chipnibbles.com|chipnibbles.com>", validation_method="DNS"
)

validation_option = chipnibbles_com_certificate.domain_validation_options[0]
chipnibbles_validation_record = ChipnibblesRecord(
    "validation_record",
    name=validation_option.resource_record_name,
    type=validation_option.resource_record_type,
    records=[
        validation_option.resource_record_value,
    ],
)

chipnibbles_cert_validation = aws.acm.CertificateValidation(
    "chipnibbles-validation",
    certificate_arn=chipnibbles_com_certificate.arn,
    validation_record_fqdns=[chipnibbles_validation_record.fqdn],
)

ChipnibblesRecord is you own Resource type? Does this have access to the correct DNS Zone? Can you check to see if the record has been created in your DNS?

Oh yeah, forgot to mention that. Yes it’s just a subclass of Route53Record with some defaults applied which are overridable. And yes the record is there.

worth checking the values match what ACM is showing as required for the certificate?

I checked again right now. I had another Certificate in us-east-1. From runs before. That’s the validated one. AWS Console somehow changed my region so I sent the wrong picture. The one I created with the script shows pending validation. The records are correct and there though.

np

Thats interesting. I use the default NS and SOA entries which were created by AWS for my hosted zones. Perhaps when I destroyed some of the old hosted zones some values are still cached? Hence DNS Fails completely. It’s always DNS isn’t it. 🤔