By using AWS re:Post, you agree to the Terms of Use

DNS validation remains pending in ap-southeast-1, but succeeds in us-east-1

0

Hi,

DNS validation fails in ap-southeast-1, but succeeds for the same domain in us-east-1.

We try to use Amazon Certificate Manager (ACM) to generate a certificate for two domains (both in one certificate). Let's say:

example.com
*.example.com
foobar.com
*.foobar.com

We use the DNS validation method for this process and created the needed validation records in both name servers.

We want to deploy the certificate to CloudFront and to a load balancer in ap-southeast-2, so we requested the certificate at ACM in the us-east-1 region and also in the ap-southeast-2 region. It worked perfectly fine in the us-east-1 region (which proves that the DNS entries exist and are valid). However, the same certificate request (same domains) does not go through in ap-southeast-2. The validation status remains "pending" for one of the two domains.

Given a certificate was issued at ACM in the us-east-1 region, this can not be a problem with the DNS validation record. We also followed the checks documented here:
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/

...and I can confirm that the record has propagated:

dig TXT +short +noshort ...

We also deleted the pending cert request and created another one (using the option to automatically write the CNAME record to our hosted zone) but to no avail. The pending status of the certificate has not changed after more than 24 hours.

We would appreciate any feedback and I am happy to provide domains names, ARN, etc. in a non-public communication.

1 Answer
0

The certificate request expired after 72 hours. However, I was able to resolve the issue as follows:

  1. Delete the expired certificate (that was never validated)
  2. Delete the validation CNAME records from the DNS (Route 53)
  3. Generate a new certificate request at ACM (same two domains)
  4. Let ACM (re-)create the validation records

A new certificate with both domains has been generated, validated and is now available. Needless to say that the records in Route 53 are exactly the same as they were before (I double and triple checked).

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions