Aws-cdk: aws-certificatemanager DnsValidatedCertificateHandler does not properly handle certs with SubjectAlternativeNames

Created on 24 Oct 2019  路  7Comments  路  Source: aws/aws-cdk

A DnsValidatedCertificate will never successfully validate when SubjectAlternativeNames are present. This seems to be due to the custom resource only adding the first DomainValidationOptions record to Route53. See line 110 here. This should add a new ResourceRecordSet for every DomainValidationOptions result.

Reproduction Steps

Create a DnsValidatedCertificate and add at least one record to subjectAlternativeNames.

Environment

  • CLI Version : 1.14.0
  • Framework Version: 1.14.0
  • OS : MacOS 10.14
  • Language : Typescript

This is :bug: Bug Report

@aws-cdaws-certificatemanager bug in-progress p2
Source
picture mmoulton
👍12 👀1

Most helpful comment

Any updates on this @SomayaB or @rix0rrr ?

picture jamiepmullan on 6 Jan 2020
👍2

All 7 comments

Thanks for reporting.

rix0rrr picture rix0rrr on 25 Oct 2019

Furthermore, it looks like validationDomains option (which could be used to work around this, assuming all subjectAlternativeNames are under the same name) is totally ignored by DnsValidatedCertificate...

pasieronen picture pasieronen on 28 Nov 2019
👍1

Any updates on this @SomayaB or @rix0rrr ?

jamiepmullan picture jamiepmullan on 6 Jan 2020
👍2

@rix0rrr / @SomayaB Can we please get an update on this one?

jamiepmullan picture jamiepmullan on 21 Jan 2020

@jamiepmullan We don't have any concrete plans for addressing this on the short term. A PR for it would be welcomed though

rix0rrr picture rix0rrr on 21 Jan 2020

+1 to this bug report.

The bug is in the CustomResource function here:

record = options[0].ResourceRecord;

The code should iterate over options array (these are all domain validation options, including subjectAlternativeNames) instead of taking the first element of the array and then passing it to:

const changeBatch = await route53.changeResourceRecordSets({
    ChangeBatch: {
      Changes: [{
        Action: 'UPSERT',
        ResourceRecordSet: {
          Name: record.Name,
          Type: record.Type,
          TTL: 60,
          ResourceRecords: [{
            Value: record.Value
          }]
        }
      }]
    },
    HostedZoneId: hostedZoneId
  }).promise();

The fix is dead simple: just do a for(const option of options) { ... }

@skinny85

touzoku picture touzoku on 25 Feb 2020

Repro:

const hostedZone = route53.HostedZone.fromLookup(this, 'WebsiteHostedZone', {domainName: 'example.com'})
new acm.DnsValidatedCertificate(
      this,
      'WebsiteCertificate',
      {
        domainName: 'example.com',
        subjectAlternativeNames: ['www.example.com'],
        hostedZone
      }
    )

It will only validate example.com, while www.example.com will be left hanging in ACM until the validator cloudformation custom resource times out.

Submitted a PR fixing this issue: #6516

touzoku picture touzoku on 29 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nzspambot picture nzspambot  路  3Comments
artyom-melnikov picture artyom-melnikov  路  3Comments
sudoforge picture sudoforge  路  3Comments
kawamoto picture kawamoto  路  3Comments
PaulMaddox picture PaulMaddox  路  3Comments