1 Answer
- Newest
- Most votes
- Most comments
0
I solved it. For the benefit of any future thread viewers, it was because one of the hostnames was a CNAME that forwarded to a third party. That third party had a CAA record which prevented ACM from issuing a certificate for the name.
The fix was to remove or change the CNAME record before requesting a new certificate. This caused it to temporarily stop working, but allowed us to get the certificate and solve the problem. We were trying to make the change with zero downtime, which is why we didn't change the CNAME beforehand. But that wasn't realistic unfortunately.
answered 5 years ago
Relevant content
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
This is something I came up with as well after a few days of getting crazy. I'd really appreciate some other way that does not require downtime (changing the current CNAME). I'd expect something like an extra CNAME or TXT record to make this valid. I.e.:
TXT my.domain.example.com allowCAA
. So the original service is still pointing to the existing external service and new service can generate certificates first, before it's swapped.