AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Certificate Manager failing CAA validation, with and without CAA records

0

I'm trying to request a certificate for a few hostnames. Each of the individual (DNS-based) validations is passing, however the certificate as a whole has a status of "Failed". The failure reason it gives is "CAA Error".

None of the domains (nor any of their parent domains) have CAA records set, so CAA validation should be disabled according to the ACM documentation. Regardless, I tried adding CAA records to the domains and re-requesting a certificate, and it still failed. I also tried requesting a certificate in a different region with the same results.

This has been going on since yesterday. Is there anything else I can try to fix this?

주제
보안, 신원 및 규정 준수
태그
AWS 자격증 관리자
언어
English
adamz
질문됨 4년 전481회 조회
1개 답변
0

I solved it. For the benefit of any future thread viewers, it was because one of the hostnames was a CNAME that forwarded to a third party. That third party had a CAA record which prevented ACM from issuing a certificate for the name.

The fix was to remove or change the CNAME record before requesting a new certificate. This caused it to temporarily stop working, but allowed us to get the certificate and solve the problem. We were trying to make the change with zero downtime, which is why we didn't change the CNAME beforehand. But that wasn't realistic unfortunately.

adamz
답변함 4년 전
  • misak113
    3달 전

    This is something I came up with as well after a few days of getting crazy. I'd really appreciate some other way that does not require downtime (changing the current CNAME). I'd expect something like an extra CNAME or TXT record to make this valid. I.e.: TXT my.domain.example.com allowCAA. So the original service is still pointing to the existing external service and new service can generate certificates first, before it's swapped.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠