1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
I solved it. For the benefit of any future thread viewers, it was because one of the hostnames was a CNAME that forwarded to a third party. That third party had a CAA record which prevented ACM from issuing a certificate for the name.
The fix was to remove or change the CNAME record before requesting a new certificate. This caused it to temporarily stop working, but allowed us to get the certificate and solve the problem. We were trying to make the change with zero downtime, which is why we didn't change the CNAME beforehand. But that wasn't realistic unfortunately.
répondu il y a 4 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a 2 mois
- demandé il y a un an
- demandé il y a 3 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 3 ans
This is something I came up with as well after a few days of getting crazy. I'd really appreciate some other way that does not require downtime (changing the current CNAME). I'd expect something like an extra CNAME or TXT record to make this valid. I.e.:
TXT my.domain.example.com allowCAA
. So the original service is still pointing to the existing external service and new service can generate certificates first, before it's swapped.