Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why am I not able to add a custom SSL for my Domain? I tried with 2 separate services. Details in description.

0

I am facing this problem in relation 2 two services.

  1. When I was trying to add a Amplify managed SSL Certificate for my Custom Domain in AWS Amplify, the SSL Verification goes on & on and then eventually times out saying that it could not verify the Domain even when the said domain is in AWS Route 53
  2. When I was trying to do the same thing as above, but through a lambda application via AWS SAM Template/CloudFormation. The Certification Manager is taking a lot of time.
Topics
ServerlessFront-End Web & MobileComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Route 53AWS Certificate ManagerAmazon CloudFrontAWS AmplifyAWS Lambda
Language
English
asked 7 months ago173 views
2 Answers
0
Accepted Answer

Hello.

Has a CNAME record for verifying the SSL certificate been created in the hosted zone?
If so, can you resolve the name using the "dig" command or similar?
https://docs.aws.amazon.com/amplify/latest/userguide/using-certificates.html

By the way, can you use the hosted zone hosted on Route53 normally?
Please check that NS records etc. can be resolved normally.

EXPERT
answered 7 months ago
AWS
EXPERT
reviewed 7 months ago
  • Amrita
    7 months ago

    Has a CNAME record for verifying the SSL certificate been created in the hosted zone? Yes, Got created automatically can you resolve the name using the "dig" command or similar? 2 A Records coming, no CNAME Records coming can you use the hosted zone hosted on Route53 normally? My Domain is hosted on Route 53

  • Amrita
    7 months ago

    Finally Checked the NS Records !! According to the docs, The NS Records of the domain must be modified to match the ones from the Hosted Zone. This fixed it.

0

There are several reasons why you might be experiencing difficulties adding a custom SSL certificate for your domain, both through AWS Amplify and AWS Certificate Manager (ACM) via Lambda/SAM:

  1. DNS Propagation Delay: DNS changes can take up to 24-48 hours to propagate globally. This means it might take some time for the internet to recognize your new DNS records pointing to the ACM certificate.

  2. Incorrect DNS Configuration: Double-check that your DNS records (CNAME and A records) are correctly set up in Route 53. Ensure that the NS (Name Server) records in your domain registrar match the ones in the Route 53 hosted zone. Any mismatch can cause SSL configuration to fail.

  3. Region Mismatch: Make sure the ACM certificate you're creating is in the correct AWS region. For services like CloudFront, certificates must be in the us-east-1 (N. Virginia) region.

  4. Permissions Issues: Verify that you have the necessary IAM permissions to create records in your Route 53 hosted zone and to manage ACM certificates.

  5. Conflicting Records: Look for any conflicting DNS records (e.g., duplicate CNAMEs or A records) that might interfere with the SSL configuration.

  6. CAA Records: Ensure there are no Certification Authority Authorization (CAA) records blocking certificate issuance for your domain.

To resolve these issues:

  1. Wait for DNS propagation to complete before retrying.
  2. Manually validate the domain by adding the required CNAME record to your DNS settings in Route 53.
  3. If using Amplify, try removing and re-adding the domain after ensuring DNS propagation is complete.
  4. For ACM via Lambda/SAM, make sure your Lambda function has the necessary permissions and is configured correctly.
  5. Use tools like dig or nslookup to verify your DNS configuration.

If problems persist after trying these steps, you may need to contact AWS Support for further assistance.

Sources
Amplify fails on SSL Configuration | AWS re:Post
Unable to request a Certificate in AWS | AWS re:Post

answered 7 months ago
  • Amrita
    7 months ago

    My Domain is hosted in AWS Route 53 directly. I will wait for 24 hrs then

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content