En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Certificate Manager failing CAA validation, with and without CAA records

0

I'm trying to request a certificate for a few hostnames. Each of the individual (DNS-based) validations is passing, however the certificate as a whole has a status of "Failed". The failure reason it gives is "CAA Error".

None of the domains (nor any of their parent domains) have CAA records set, so CAA validation should be disabled according to the ACM documentation. Regardless, I tried adding CAA records to the domains and re-requesting a certificate, and it still failed. I also tried requesting a certificate in a different region with the same results.

This has been going on since yesterday. Is there anything else I can try to fix this?

Sujets
Sécurité, identité et conformité
Balises
Gestionnaire de certificats AWS
Langue
English
adamz
demandé il y a 4 ans481 vues
1 réponse
0

I solved it. For the benefit of any future thread viewers, it was because one of the hostnames was a CNAME that forwarded to a third party. That third party had a CAA record which prevented ACM from issuing a certificate for the name.

The fix was to remove or change the CNAME record before requesting a new certificate. This caused it to temporarily stop working, but allowed us to get the certificate and solve the problem. We were trying to make the change with zero downtime, which is why we didn't change the CNAME beforehand. But that wasn't realistic unfortunately.

adamz
répondu il y a 4 ans
  • misak113
    il y a 3 mois

    This is something I came up with as well after a few days of getting crazy. I'd really appreciate some other way that does not require downtime (changing the current CNAME). I'd expect something like an extra CNAME or TXT record to make this valid. I.e.: TXT my.domain.example.com allowCAA. So the original service is still pointing to the existing external service and new service can generate certificates first, before it's swapped.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents