Route 53, CloudFormation, and ACM

0

I am not sure what I am doing wrong. When I first register a domain on Route 53, it assigned me a HostZone. I had cloud formation distro that was assigned to an s3 bucket. I registered a certificate through ACM and it was validated. What I set up was wrong so I had to remove everything from HostZone to cert, to my cloudformation distro and s3 bucket.

After the purge, I recreate an s3 bucket, create a new hostzone, try to use cloud formation distro and now, my ACM keep saying pending validation (it has been 72 hours without error). I tried everything under the sun from checking dig NS <mydomain.com> to dig CNAME <cname here> to making sure 53 have the correct CNAME, and no A cert is blocking the way. I need cert SSL to work before I move on.

Any idea would be helpful. I tried researching all of re:Post from newest to dating back to 4 years. Nothing helped.

EDIT: I found the solution. Just copy the NS from the newly hosted zone I created into my Registered Domain NS. Hosted Zone NS point to Domain. Domain accepted ACM right away.

2 Answers
0

You need to update your Glue records for your domain based off the newly created route53 zone. Point 6 n the AI answer.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html

I also assume you mean cloudfront not cloud formation.

profile picture
EXPERT
answered 5 days ago
profile picture
EXPERT
reviewed 4 days ago
profile picture
EXPERT
reviewed 4 days ago
  • Found it. Posted the simpler answer in EDIT: question.

0

It sounds like you're experiencing a common issue with AWS Certificate Manager (ACM) validation after recreating your infrastructure. Here are some steps and considerations to help resolve your problem:

  1. First, since it's been 72 hours without validation, your certificate request has likely timed out. You'll need to delete the pending certificate and request a new one.

  2. When requesting the new certificate, make sure to use DNS validation instead of email validation. DNS validation is more reliable and allows for automatic renewal.

  3. After requesting the new certificate, ACM will provide you with CNAME records that need to be added to your Route 53 hosted zone. If you're using the same AWS account for both ACM and Route 53, you should see a "Create records in Route 53" button in the ACM console. This will automatically add the necessary CNAME records to your hosted zone.

  4. If the automatic option isn't available, manually add the CNAME records to your Route 53 hosted zone. Ensure you copy the record name and value accurately.

  5. After adding the CNAME records, give ACM some time to validate your domain ownership. This process usually completes quickly, but it can take up to 30 minutes for the status to update.

  6. Double-check that your Route 53 nameservers are correctly set at your domain registrar. Use the 'dig NS' command to verify this.

  7. Ensure there are no Certification Authority Authorization (CAA) records in your DNS that might be blocking certificate issuance.

  8. If you're using CloudFormation to manage your ACM certificate, make sure the template includes the correct DomainValidationOptions with the HostedZoneId.

If you continue to face issues after following these steps, you may want to check if there are any DNS propagation delays or if your DNS configuration is correct using tools like dig or nslookup.

Remember, patience is key when dealing with DNS changes. Sometimes, it may take a bit of time for changes to propagate fully.
Sources
Certificate not getting issued | AWS re:Post
Unable to request a Certificate in AWS | AWS re:Post
AWS Certificate Manager DNS validation - AWS Certificate Manager
DNS validation - pending validation | AWS re:Post

profile picture
answered 5 days ago
profile picture
EXPERT
reviewed 5 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions