Aws-cdk: ACM timeout while waiting for certificate approval

Could you give some more steps to how you got to the error message?

Sure, I've used this code fragment:

    new certificatemanager.DnsValidatedCertificate(this, 'id', {
      domainName: 'some-name',
      hostedZone: zone
    })

And during cdk deploy the above error was thrown after some time. When I looked in to certificate manager console then, I saw that the requested certificate was indeed still in pending validation.

Therefore I think its a timing issue, and in the lambda code of the dns validation there is a wait statement for 5 minutes. If I'm right this may be a bit too short.

https://github.com/awslabs/aws-cdk/blob/master/packages/%40aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js#L142

The runtime for the whole execution may not exceed 15 minutes. The function is currently waiting for up to 5 minutes for the DNS record to commit, then waits up to 5 minutes for the ACM validation to happen.... That does not leave much margin.

@RomainMuller Thanks, that will probably help in a lot of situations. Unfortunately the certificate manager claims to approve pending certificate requests in at least 30 minutes. So there is still a lot of room to fail. But I think this will help a lot.

Lately, certificate validation often takes more than 10 minutes.
In the worst case it took about 42 minutes, as far as I tested.
It would be better if the waiter params could be specified in DnsValidatedCertificateProps.

Still a problem;
Requested at 2020-01-16T10:33:04UTC
Issued at 2020-01-16T10:46:21UTC
Can the delay duration be a variable so we can specify a value?

@RomainMuller Can we increase the validation timeout value? WhenI try to write DNS record manually in AWS Console, I got following message.

The DNS record was written to your Route 53 hosted zone. It can take 30 minutes or longer for the changes to propagate and for AWS to validate the domain and issue the certificate.

ACM uses 72 hours as their validation timeout.

If ACM is not able to validate the domain name within 72 hours from the time it generates a CNAME value for you, ACM changes the certificate status to Validation timed out.

@RomainMuller I'm currently running into this issue / this should remain open.

Why is this closed? What's the consensus for solving this?

I dont understand how increasing the wait time to 9mins was a valid solution? That does not solve the problem at all.

This is still a problem. A better error message would help. Like certificate request pending please re-run once complete

Any workaround for this? I was able to successfully deploy my CDK to a few customers before hitting this error today.

I have this error too. Still not fixed in CDK 1.55.0

hey guys
i found an anomaly:

new DnsValidatedCertificate(this, 'id', {
            domainName: 'domainname',
            hostedZone: zoneObject,
            region: 'us-east-1',
            validation: CertificateValidation.fromDns(zoneObject)
});

With this code, the cname record gets generated and added to the provided hostedzone. this works.
but i compared the values from the automatically added cname record with the one that is downloadable available from the GUI in ACM.
the NAME of the cname record is different: the name from the generated cname record is missing a point (.) at the end of the name. the NAME of the cname record in the downloaded has the point (.) in its name.

just an observation. i actually cant test it by myself because the new GUI dont let me add a fully customizable name and the button in the ACM GUI which adds it automatically also trims the point (.) away.

EDIT:
when i switched to the old console, the dot is appearing in the cname... so my assumption is incorrect.

Looks like this is getting plenty of attention. I am reopening it

@opentrail - is it the same issue? can you help me with a minimal repro here? - I'd like to make sure that it's the same issue since we're reopening

    new certificatemanager.DnsValidatedCertificate(this, 'id', {
      domainName: 'some-name',
      hostedZone: zone
    })

I gave this snippet a shot in a couple of regions (us-east-1, us-west-2, eu-west-1, ca-central-1) and haven not been able to reproduce the error conditions.

can you point me towards the snippet you're using and any region details?

Hi Shiv,

It looks as though this is caused by missing NS records in Route53 for the
domain in the cross account where we are adding alias/cname records.

Thanks,

Jonathan

On Thu, 20 Aug 2020 at 07:45, Shiv Lakshminarayan notifications@github.com
wrote:

@opentrail https://github.com/opentrail - is it the same issue? can you
help me with a minimal repro here? - I'd like to make sure that it's the
same issue since we're reopening

new certificatemanager.DnsValidatedCertificate(this, 'id', {
  domainName: 'some-name',
  hostedZone: zone
})

I gave this snippet a shot in a couple of regions (us-east-1, us-west-2,
eu-west-1, ca-central-1) and haven not been able to reproduce the error
conditions.

can you point me towards the snippet you're using and any region details?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-cdk/issues/2914#issuecomment-677335767, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AAE7DPXYEKYOXFV5YWJHLN3SBTA7PANCNFSM4HZBGLBQ
.

--
Jonathan Greenwood

@shivlaks I have a specific example you might try where I've been running into this issue https://github.com/knowsuchagency/airflow-cdk/pull/2

Any known work around on this issue? This is still an issue in aws-cdk version 1.64.1.