Requesting ACM :- ACM not generating cert for my loadbalancer dns

0

HI, Can someone from AWS Support help with this ? I have created Loadbalancer using cloudformation. Now with another stack i am creating acm and using dns as validation and adding the listener 443 rule in LB.

and cloudformation stack is failing with reason : DNS Record Set is not available. Certificate is in FAILED status.

when tried manually ACM creation is failing with reason : Additional verification required to request certificates for one or more domain names in this request. ( got to know this when tried manually )

Can someone please help ? The email ID with which my repost account is registered is the same for the aws account.

asked 3 months ago180 views
1 Answer
0

When you encounter the issue of a CloudFormation stack failing due to a "DNS Record Set is not available" and the ACM certificate is in "FAILED" status, there are several potential factors to consider:

  1. DNS Validation Records: Ensure that the DNS validation records created by the ACM (Amazon Certificate Manager) are correctly set in the domain's hosted zone in Route 53 or whichever DNS service you are using. CloudFormation will not be able to automatically validate the certificate if these records are not correctly set up.

  2. Domain Ownership: The error message "Additional verification required to request certificates for one or more domain names in this request" suggests that there might be an issue with the domain ownership verification process. Amazon may require additional steps to verify that you own or control the domain names for which you're requesting certificates, especially if they are sensitive or high-profile domain names.

  3. Manual Intervention Required: Sometimes, manual intervention is required for the ACM certificate to be issued. This can be due to various reasons, including security policies or the need for additional verification by AWS. In such cases, you may need to contact AWS Support for further assistance.

  4. CloudFormation Dependencies: Your CloudFormation template should ensure that resources are created in the correct order with the proper dependencies. For example, the ACM certificate needs to be validated before it can be associated with a listener in the load balancer.

  5. Stack Rollback: Check if the CloudFormation stack is rolling back due to the error, which could result in the deletion of resources that were created, including the DNS validation record. You may want to set the stack to retain resources even if the stack creation fails, for troubleshooting purposes.

  6. Error Messages and Logs: Review the error messages and logs in the AWS CloudFormation console. They can provide detailed information about why the stack creation failed.

  7. Permissions and Policies: Make sure that the IAM (Identity and Access Management) role used by CloudFormation has the necessary permissions to create ACM certificates and DNS records.

  8. Resource Limits: Check if you've hit any resource limits within your AWS account, such as the maximum number of ACM certificates you can request.

To resolve the issue, you may need to:

  • Add the correct DNS validation records manually and ensure they have propagated across the DNS servers.
  • Check for any emails from AWS to the registered domain owner's email address, as they may contain instructions for additional verification steps.
  • Adjust your CloudFormation template to ensure resources are created in the correct sequence and have the appropriate dependencies.
  • Open a support case with AWS Support if you suspect that manual intervention is required for your ACM certificate request.

Remember to always check the "Events" tab in the CloudFormation console for detailed error messages that can guide you to the specific problem with your stack.

AWS
Drew D
answered 3 months ago
  • HI Drew, thank you for the response on this,

    the domain that is associated with the LB is not owned by me, .amazonaws.com is owned by aws itself,

    and as per : https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-failed.html : You cannot request a certificate for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com.

    so i need support from AWS to help me with this.

    the doc suggest if we don't have a support plan i can put it in the community forum.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions