By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Domain validation for Route 53 domain in AWS Certificate Manager timing out.

0

Hi,

I recently followed this tutorial to set up a domain with https for example-app.com (name changed of course). It all went smoothly, but the only problem was I requested a certificate only for *.example-app.com, so did not realise that this wouldn't cover example-app.com itself. To try to fix this I deleted the certificate and the hosted zone, basically tried to start from scratch except for the domain itself since I had already payed for it. I then tried to repeat the process but request the certificate for example-app.com instead of *.example-app.com (I don't plan to use any subdomains). But now even after I do the "Create Records in S3" option, the certificate manager is stuck in "pending-validation" until it eventually times out and fails. I believe the problem has arisen from when I tried to delete the certificate and start over, but not sure how to fix this.

Any help with this would be appreciated!

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Route 53AWS Certificate ManagerDomain Name System (DNS)
Language
English
rePost-User-5684129
asked a year ago308 views
2 Answers
0
Accepted Answer

When you click “Create records in route 53” you will be presented with and you can view them In certificate manager. The cnames you need to manually create in your dns zone in route 53

Create the cname records and ACM will issue the certificates in due course

https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

profile picture
EXPERT
Gary Mclean
answered a year ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • rePost-User-5684129
    a year ago

    When I did this, it creates the records automatically for me in route 53 and I can see that the cname records in route 53 match the ones I can see in ACM. I also tried deleting the old cname record in route 53 and then creating it manually with the values from ACM. Either way, it still doesn't work for me anymore, just getting stuck in pending validation.

  • Gary Mclean EXPERT
    10 months ago
    1. Is your Route 53 Zone PUBLIC?
    2. If you recreated your domain, did you update the GLUE records? As the name servers will be different from last time
  • rePost-User-5684129
    10 months ago

    The Zone is public. It turns out that the name servers were different, so I've updated them. It says it could take up to 24 hours to propagate changes, so will update on if this fixed it later. Thank you for all the help so far though!

  • rePost-User-5684129
    10 months ago

    Updating the name servers is what I needed, thanks for the help! Followed directions on this page https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html

  • Gary Mclean EXPERT
    10 months ago

    Thanks for the update. Happy you have resolved your issue.

0

Wait for sometime and try to follow the steps again from the document that you are using. Based on the error it looks like AWS backend api which creates the Route53 records is able to find the new route53 domain you have created. DNS propagation is a complicated thing and could create unknown issues sometime.

As Gary suggested you can try to do it manually by going to Route53 console and creating cname records. But after that use some external tool or command line to make sure that records have been updated as expected.

ex:

from ACM console copy "CNAME name" CNAME name

and run below command. It should give the same response as CNAME value:

$ dig CNAME _acbde15893052715386f6f4823232083f.example-app.com.

Nitin Bhadauria
answered a year ago
  • rePost-User-5684129
    a year ago

    Ah, thank you for pointing me towards the dig command. I get a SERVFAIL when I try it, so there must be something fishy going on with the DNS propagation.

    ;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32469
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    Any ideas on where to start for troubleshooting this?

  • Gary Mclean EXPERT
    10 months ago
    1. Is your Route 53 Zone PUBLIC?
    2. If you recreated your domain, did you update the GLUE records? As the name servers will be different from last time

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content