Aws-cdk: CDK Certificate Manager fromCertificateArn "The provided certificate does not exist"

Created on 10 Aug 2019  路  6Comments  路  Source: aws/aws-cdk

  • I'm submitting a ...

    • [x] :beetle: bug report
    • [ ] :rocket: feature request
    • [ ] :books: construct library gap
    • [ ] :phone: security issue or vulnerability => Please see policy
    • [X] :question: support request => Please see note at the top of this template.

  • What is the current behavior?
    I use typescript CDK to create an API gateway LambdaRestApi with a certificate in the domainName. I get the certificate using certmanager.Certificate.fromCertificateArn passing the entire arn, like arn:aws:acm:REGION:ACC_ID:certificate/CERT_ID, but when deploying the stack, I get error: The provided certificate does not exist

  • What is the expected behavior (or behavior of feature suggested)?
    To get the certificate using the ARN and inject that to the APIGW provider.

  • Please tell us about your environment:

    • CDK CLI Version: 1.3.0 (build bba9914)
    • Module Version: @aws-cdk/aws-certificatemanager 1.3.0
    • OS: [ OSX Mojave 10.14.6 ]
    • Language: [ TypeScript ]

  • Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

Here's a code sample:

var certArn = 'arn:aws:acm:REGION:ACCOUNT:certificate/ID'
const cert = certmanager.Certificate.fromCertificateArn(this, 'SomeCertName', certArn);

// Set up the API and its resources
const apiGW = new apigw.LambdaRestApi(this, 'RestAPIName',
    {
    handler: getTenantsLambdaFn,
    domainName: {
        domainName: 'SOMEDOMAINNAME',
        certificate: cert,
    },
    deployOptions: {
        loggingLevel: apigw.MethodLoggingLevel.INFO,
        dataTraceEnabled: true
    },
    proxy: false
});
@aws-cdaws-apigateway @aws-cdaws-certificatemanager bug p2
Source
picture L1qu1d1c3
👍2

All 6 comments

Is there any update on this? I'm currently blocked until this issue is resolved. Thanks :)

L1qu1d1c3 picture L1qu1d1c3 on 16 Aug 2019

Is there a workaround? This issue still exists in Version 1.15.0

The region property in DnsValidatedCertificateProps does not have an effect.

const certificateArn = new DnsValidatedCertificate(this, 'SiteCertificate', {
  domainName: siteDomain,
  hostedZone: zone,
  region: 'us-east-1'
}).certificateArn;

...
new CloudFrontWebDistribution(this, 'SiteDistribution', {
  aliasConfiguration: {
    acmCertRef: certificateArn,
    names: [siteDomain],
    sslMethod: SSLMethod.SNI,
    securityPolicy: SecurityPolicyProtocol.TLS_V1_2_2018,
  },
...
 });
jforge picture jforge on 7 Nov 2019

@L1qu1d1c3 & @jforge -

This error is typically raised when the certificate in question has not passed validation as yet. Can you confirm that the certificate that you've imported has been validated?

I was able to write a similar CDK program and confirm that the synthesized template is generated as expected and the certificate ARN is marked against the RegionalCertificateArn attribute of the AWS::ApiGateway::DomainName resource type.

Do you see anything off in the template synthesized from your app?

nija-at picture nija-at on 12 Nov 2019

Do you see anything off in the template synthesized from your app?

There seem to be several problems fixed with CDK 1.16.

My first issue was an immediate exit with cdk synth, this does not happen anymore.

Using #fromCertitificateArn also works as expected for me, the DnsValidation was fast and I had no pre-validation state on the certificate when proceeding with the cloudfront distribution.

You're right: If the certificate is not validated, the mentioned error would be raised.

env: { CDK_DEFAULT_REGION: 'eu-central-1',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.10.0',
  CDK_CLI_VERSION: '1.15.0' }

acmCertificate certficate must be in the us-east-1 region, got eu-central-1

Subprocess exited with error 1
Error: Subprocess exited with error 1
    at ChildProcess.proc.on.code (/usr/local/Cellar/aws-cdk/1.15.0/libexec/lib/node_modules/aws-cdk/lib/api/cxapp/exec.ts:115:23)
    at ChildProcess.emit (events.js:198:13)
    at ChildProcess.EventEmitter.emit (domain.js:448:20)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)

This error does not occur with CDK 1.16.2 and I now get something like this in the synthesized template:

SiteCertificateCertificateRequestorResourceXXXX:
    Type: AWS::CloudFormation::CustomResource
    Properties:
      ServiceToken:
        Fn::GetAtt:
          - SiteCertificateCertificateRequestorFunctionXXX
          - Arn
      DomainName: test-site.lab.XXXX
      HostedZoneId: ZXXXXXX
      Region: us-east-1

The cloudformation stack in eu-central-1 shows a correctly validated Certificate in us-east-1.
The DNS validation was fast and successful, the Cloudfront distribution was successfully deployed (after 22 minutes).

jforge picture jforge on 14 Nov 2019

It looks like we've fixed this issue. Closing now; re-open if your issue was not addressed.

nija-at picture nija-at on 21 Nov 2019
👍1

Hi @nija-at , I seem to be having the same issue.

I'm using the LambdaRestApi construct, and I want to add a domain to it. The certificate already exists (It's a wildcard cert, I've been using it on other projects for while now, so it's definitely valid).

const CERTIFICATE_ARN: string = "arn:aws:acm:ap-southeast-2:XXX";
const VENDOR_DOMAIN: string = "vendor.test.XXX";

export class DeployStack extends cdk.Stack {
    constructor(...) {
        ...

        const cert = certificatemanager.Certificate.fromCertificateArn(this, "certificate", CERTIFICATE_ARN);

        const api = new apigateway.LambdaRestApi(this, "api", {
            handler: backend,
            binaryMediaTypes: ["*/*"],
        });
        api.addDomainName("vendor_domain", {
            domainName: VENDOR_DOMAIN,
            certificate: cert,
        });
    }
}

However, when I try to do cdk deploy, I get a long error message saying that the certificate does not exist:

3/20 | 5:11:44 PM | CREATE_FAILED        | AWS::ApiGateway::DomainName      | vendor_api/api_domain (vendorapiapidomain3C9A5F4E)
Invalid request provided: The provided certificate does not exist. (Service: ApiGateway, Status Code: 400, Request ID: XXX, Extended Request ID: null)
        new DomainName (...\node_modules\@aws-cdk\aws-apigateway\lib\domain-name.ts:111:22)

I'm using cdk version 1.67.0

Just to be clear, the domain I'm adding will be a brand new subdomain. I don't need to do any additional setup anywhere else do I? My understanding is that the addDomainName call will set all that stuff up for me (i.e. messing with Route53 and such), is that correct?

Here is the relevant output from cdk synth.

vendorapiCustomDomainB787F7E3:
    Type: AWS::ApiGateway::DomainName
    Properties:
      DomainName: vendor.test.XXX
      EndpointConfiguration:
        Types:
          - REGIONAL
      RegionalCertificateArn: arn:aws:acm:ap-southeast-2:XXX
    Metadata:
      aws:cdk:path: DeployStack/vendor_api/CustomDomain/Resource

Let me know if you need any more information.

peterreeves picture peterreeves on 14 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Kent1 picture Kent1  路  3Comments
eladb picture eladb  路  3Comments
abelmokadem picture abelmokadem  路  3Comments
pepastach picture pepastach  路  3Comments
vgribok picture vgribok  路  3Comments