- Newest
- Most votes
- Most comments
The problem was I was only adding the CNAME value when trying to add it through Route 53, and instead needed to also add the CNAME name field as well. Once I included both, it let me add the CNAME.
Follow the following guide on how to Resolve DNS Issues with ACM Certificates and Route 53. Seems like your domain name for your certificate is not yet verified, hence you need as you pointed out to create the record so it can be verified. (see step 1). Step 2 you need to create an alias not a CNAME because CNAME cannot be the root domain (example.com).
-
Add ACM CNAME Records for Validation:
- Go to the AWS Certificate Manager (ACM) in the AWS Management Console.
- Find your certificate request and note the CNAME records listed for domain validation.
- In Route 53:
- Go to the "Hosted zones" section.
- Select your domain's hosted zone.
- Click on "Create record."
- Choose "CNAME" as the record type.
- Enter the Name and Value from ACM exactly as provided.
- Save the record.
-
Configure Alias Record for Root Domain:
- For the root domain (example.com), you need to use an Alias record instead of a CNAME.
- In Route 53:
- Go to the "Hosted zones" section.
- Select your domain's hosted zone.
- Click on "Create record."
- Leave the "Record name" field empty (for the root domain).
- Choose "Alias" as the record type.
- In the "Alias target" field, select your CloudFront distribution or S3 bucket from the list.
- Save the record.
-
Verify DNS Configuration:
- Make sure there are no conflicting records.
- Wait for DNS changes to propagate, which can take a few minutes to several hours.
If issues persist, double-check the ACM validation CNAME records and ensure there are no typos or configuration errors.
RRSet of type CNAME with DNS name example.com. is not permitted at apex in zone example.com
This could be as simple as you needing to choose a record type of Alias rather than CNAME, since (as the error message suggests) you can't have a CNAME as the zone apex record (e.g. you can have a CNAME for www.example.com but not for plain example.com ) https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
Unlike a CNAME record, you can create an alias record at the top node of a DNS namespace, also known as the zone apex.
If this isnt the problem, can you expand on what you mean by
it hasn't created a CNAME to connect to the certificate
Which step is this in the guide you are following?
Firstly, have you successfully created a certificate in Amazon Certificate Manager, in region us-east-1 (must be this region to wrok with CloudFront)?
Secondly, have you validated this certificate using DNS? ACM & Route 53 should do almost all of the work for you, creating a TXT record (not a CNAME) whose name started with an underscore followed by a string of random characters.
And thirdly, is this validated certificate associated with your CloudFront distribution?
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
- asked 5 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 4 months ago