By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSL certificate verification fails when setting up AWS Route53 as a secondary DNS provider (Cloudflare DNS is the main DNS provider) for a subdomain

0

Hi!

We're using Cloudflare DNS for our domain (example.com). We want to set up AWS Route 53 as a secondary DNS provider for a subdomain (images.example.com), and we also want to create an ACM certificate for that domain.

I did the following:

  1. Created a Route 53 hosted zone for the subdomain.
  2. Created NS records in Cloudflare with the name images and the values of the hosted zone's name servers.
  3. Requested a certificate in ACM for the subdomain.
  4. Created the required CNAME record for the certificate in the hosted zone.

This works well with many domains (their primary DNS provider is also Cloudflare DNS), except for one specific (example.com). I think something in the example.com's Cloudflare setting blocks the validation. But I have no idea what it is.

When I enter the certificate's validation CNAME record into https://dnschecker.org, it returns the correct value.

Can anyone help?

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Website ProvisioningNetworking & Content DeliveryAmazon Route 53AWS Certificate Manager
Language
English
Alex
asked 5 months ago211 views
1 Answer
1

If the certificate validation is failing for a specific domain when using AWS Route 53 as a secondary DNS provider, it's essential to troubleshoot the issue. Here are some steps you can take to identify and resolve the problem:

  • Check DNS Propagation:

DNS changes may take some time to propagate across the internet. Ensure that the NS records pointing to the Route 53 hosted zone are propagated. You can use tools like dig or online DNS checkers to verify this.

  • Verify NS Records:

Double-check the NS records you added in Cloudflare for the subdomain (images.example.com). Ensure that they match the name servers assigned by AWS Route 53 for the corresponding hosted zone.

  • Check CNAME Record:

Ensure that the CNAME record required for ACM certificate validation is correctly added to the AWS Route 53 hosted zone. It should have the correct name and point to the provided validation domain.

  • Cloudflare Firewall or Security Settings:

Check the Cloudflare settings for the specific domain (example.com). Cloudflare's security features, such as Firewall rules, may sometimes interfere with DNS resolution or certificate validation. Temporarily disable security features for testing purposes.

  • SSL/TLS Settings in Cloudflare:

Review the SSL/TLS settings in Cloudflare. Ensure that SSL is set to "Full" or "Flexible," depending on your requirements. "Full (Strict)" might cause issues if the certificate on the AWS side is not yet verified.

  • SSL Certificate in Cloudflare:

Ensure that Cloudflare is not actively managing SSL certificates for the subdomain (images.example.com). Cloudflare's SSL settings should be set to "Full" or "Flexible," and the SSL certificate for the subdomain should be managed by ACM on the AWS side.

  • Cloudflare Page Rules:

Check for any specific page rules in Cloudflare that might affect the subdomain. Page rules can redirect or modify traffic, potentially causing issues with ACM validation.

  • Certificate Validation Logs:

Check the ACM certificate validation logs in the AWS Management Console. It may provide more detailed error messages or insights into why the validation is failing.

    • SSL/TLS Policies in Cloudflare:

If Cloudflare is configured with strict SSL/TLS policies, it might reject the ACM validation request. Review and adjust Cloudflare's SSL/TLS settings if necessary.

profile pictureAWS
Renato
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content