Aws-cdk: DNS Validated Certificate Error: Failed to create resource. Cannot read property 'Name' of undefined
When deploying a new DNS Validated Certificate, I keep getting an error:
26/41 | 5:34:32 PM | CREATE_FAILED | AWS::CloudFormation::CustomResource | sslCert/CertificateRequestorResource/Default (sslCertCertificateRequestorResource595CEBB2) Failed to create resource. Cannot read property 'Name' of undefined
new CustomResource (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
\_ new DnsValidatedCertificate (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:96:25)
\_ new SharedService (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/services/shared.ts:64:28)
\_ /Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:32:26
\_ Generator.next (<anonymous>)
\_ fulfilled (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:6:58)
\_ processTicksAndRejections (internal/process/task_queues.js:97:5)
Reproduction Steps
const hostedZone = route53.HostedZone.fromLookup(scope, 'HostedZone', {
domainName: 'foo.example.com',
});
const sslCertificate = new acm.DnsValidatedCertificate(this, 'sslCert', {
domainName: 'foo.example.com',
subjectAlternativeNames: [`*.foo.example.com`, `*.ecs.foo.example.com`],
hostedZone,
});
Error Log
Error log from cdk deploy:
26/41 | 5:34:32 PM | CREATE_FAILED | AWS::CloudFormation::CustomResource | sslCert/CertificateRequestorResource/Default (sslCertCertificateRequestorResource595CEBB2) Failed to create resource. Cannot read property 'Name' of undefined
new CustomResource (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
\_ new DnsValidatedCertificate (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:96:25)
\_ new SharedService (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/services/shared.ts:64:28)
\_ /Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:32:26
\_ Generator.next (<anonymous>)
\_ fulfilled (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:6:58)
\_ processTicksAndRejections (internal/process/task_queues.js:97:5)
Error log from Custom Resource Lambda Function:
START RequestId: 95303a13-0749-445a-a0c8-d28bbb2f9300 Version: $LATEST
--
ย | 2020-05-30T00:16:53.288Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Requesting certificate for foo.example.com
ย | 2020-05-30T00:16:54.706Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Certificate ARN: arn:aws:acm:us-west-2:422753814403:certificate/bb2aa334-6823-4b41-ad85-776b2148179f
ย | 2020-05-30T00:16:54.706Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Waiting for ACM to provide DNS records for validation...
ย | 2020-05-30T00:16:59.198Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Caught error TypeError: Cannot read property 'Name' of undefined. Uploading FAILED message to S3.
ย | END RequestId: 95303a13-0749-445a-a0c8-d28bbb2f9300
ย | REPORT RequestId: 95303a13-0749-445a-a0c8-d28bbb2f9300 Duration: 6166.16 ms Billed Duration: 6200 ms Memory Size: 128 MB Max Memory Used: 87 MB Init Duration: 419.89 ms
ย | START RequestId: 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf Version: $LATEST
ย | 2020-05-30T00:17:22.071Z 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf INFO Uploading SUCCESS response to S3...
ย | 2020-05-30T00:17:22.145Z 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf INFO Done.
ย | END RequestId: 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf
ย | REPORT RequestId: 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf Duration: 76.01 ms Billed Duration: 100 ms Memory Size: 128 MB Max Memory Used: 87 MB
Environment
- CLI Version : 1.42.0 (build 3b64241)
- Framework Version: TypeScript 3.9.3 / Node.js 14.1.0
- OS : MacOS 10.15.4
- Language : TypeScript
Other
I can only find two places where there's a reference to a .Name property in the DNS Validated Certificate Lambda function:
I believe it's the first, (dns_validated_certificate_handler/lib/index.js#L116) since the last message to appear before the error is thrown is Waiting for ACM to provide DNS records for validation....
Here's the code in question:
let records;
for (let attempt = 0; attempt < maxAttempts && !records; attempt++) {
const { Certificate } = await acm.describeCertificate({
CertificateArn: reqCertResponse.CertificateArn
}).promise();
const options = Certificate.DomainValidationOptions || [];
if (options.length > 0 && options[0].ResourceRecord) {
// some alternative names will produce the same validation record
// as the main domain (eg. example.com + *.example.com)
// filtering duplicates to avoid errors with adding the same record
// to the route53 zone twice
const unique = options
.map((val) => val.ResourceRecord)
.reduce((acc, cur) => {
acc[cur.Name] = cur;
return acc;
}, {});
records = Object.keys(unique).sort().map(key => unique[key]);
} else {
// Exponential backoff with jitter based on 200ms base
// component of backoff fixed to ensure minimum total wait time on
// slow targets.
const base = Math.pow(2, attempt);
await sleep(random() * base * 50 + base * 150);
}
}
A note regarding the Certificate naming and Route53 hosted zone:
The hosted zone is a subdomain (e.g. foo.example.com - changed for anonymity), and I'm adding a few extra wildcards:
foo.example.com('DomainName')*.foo.example.com(SAN)*.ecs.foo.example.com(SAN)
Here's the generated CloudFormation Resource:
"sslCertCertificateRequestorResource595CEBB2": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"sslCertCertificateRequestorFunction9B246BD8",
"Arn"
]
},
"DomainName": "foo.example.com",
"SubjectAlternativeNames": [
"*.foo.example.com",
"*.ecs.foo.example.com"
],
"HostedZoneId": "Z03098442SVHOB89V0UJ8"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "rapticore-shared-dev1/sslCert/CertificateRequestorResource/Default"
}
},
Here's the Certificate Object being queried over in the referenced code:
{
CertificateArn: 'arn:aws:acm:us-west-2:xxxxxxxxxxxx:certificate/xxxxxxx-xxxx-xxxx-xxxx-c11448b8b212',
DomainName: 'foo.example.com',
SubjectAlternativeNames: [
'foo.example.com',
'*.foo.example.com',
'*.ecs.foo.example.com'
],
DomainValidationOptions: [
{
DomainName: 'foo.example.com',
ValidationDomain: 'foo.example.com',
ValidationStatus: 'PENDING_VALIDATION',
ResourceRecord: {
Name: '_6a2843a8394c544fd6b25e23c55b4f54.foo.example.com.',
Type: 'CNAME',
Value: '_19a5e04eef1d6f5abxxxxxxxxx.auiqqraehs.acm-validations.aws.'
},
ValidationMethod: 'DNS'
},
{
DomainName: '*.foo.example.com',
ValidationDomain: '*.foo.example.com',
ValidationStatus: 'PENDING_VALIDATION',
ResourceRecord: {
Name: '_6a2843a8394c544fd6b25e23c55b4f54.foo.example.com.',
Type: 'CNAME',
Value: '_19a5e04eef1dxxxxxxxxxxxxxxxx.auiqqraehs.acm-validations.aws.'
},
ValidationMethod: 'DNS'
},
{
DomainName: '*.ecs.foo.example.com',
ValidationDomain: '*.ecs.foo.example.com',
ValidationStatus: 'PENDING_VALIDATION',
ResourceRecord: {
Name: '_7b0601b191a2975acf066452963eaa76.ecs.foo.example.com.',
Type: 'CNAME',
Value: '_03e3b0d8b31e48fe9xxxxxxxxxxxxx.auiqqraehs.acm-validations.aws.'
},
ValidationMethod: 'DNS'
}
],
Subject: 'CN=foo.example.com',
Issuer: 'Amazon',
CreatedAt: 2020-05-30T00:34:28.000Z,
Status: 'PENDING_VALIDATION',
KeyAlgorithm: 'RSA-2048',
SignatureAlgorithm: 'SHA256WITHRSA',
InUseBy: [],
Type: 'AMAZON_ISSUED',
KeyUsages: [],
ExtendedKeyUsages: [],
RenewalEligibility: 'INELIGIBLE',
Options: { CertificateTransparencyLoggingPreference: 'ENABLED' }
}
This is :bug: Bug Report
rrrix
All 11 comments
@rrrix The same mistake happened to me some time ago.
Does the zone for your apex domain example.com have an NS record for your subdomain foo.example.com (see docs)?
In my case, I forgot to add the NS record to the apex domain. After I added the NS record, all went well. I don't know if that was causing the problem, but it kinda makes sense.
Error handling could be improved though ;)
asterikx
on 30 May 2020
Forget what I said. I just experienced the same error again while moving my stacks to another region. The first deploy failed, the second succeeded.
me@Me-MBP cdk % yarn cdk deploy DnsStackProd
yarn run v1.22.4
$ cdk deploy DnsStackProd
๐ Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForReading
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:
IAM Statement Changes
โโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโ
โ โ Resource โ Effect โ Action โ Principal โ Condition โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโค
โ + โ ${Certificate/CertificateReques โ Allow โ sts:AssumeRole โ Service:lambda.amazonaws.com โ โ
โ โ torFunction/ServiceRole.Arn} โ โ โ โ โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโค
โ + โ * โ Allow โ acm:DeleteCertificate โ AWS:${Certificate/CertificateReq โ โ
โ โ โ โ acm:DescribeCertificate โ uestorFunction/ServiceRole} โ โ
โ โ โ โ acm:RequestCertificate โ โ โ
โ + โ * โ Allow โ route53:GetChange โ AWS:${Certificate/CertificateReq โ โ
โ โ โ โ โ uestorFunction/ServiceRole} โ โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโค
โ + โ arn:${AWS::Partition}:route53:: โ Allow โ route53:changeResourceRecordSet โ AWS:${Certificate/CertificateReq โ โ
โ โ :hostedzone/ZXXX โ โ s โ uestorFunction/ServiceRole} โ โ
โ โ H โ โ โ โ โ
โโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโ
IAM Policy Changes
โโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ Resource โ Managed Policy ARN โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ + โ ${Certificate/CertificateRequestorFunction/ServiceRole} โ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambd โ
โ โ โ aBasicExecutionRole โ
โโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
Do you wish to deploy these changes (y/n)? y
DnsStackProd: deploying...
๐ Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForWriting
[0%] start: Publishing 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
[100%] success: Published 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
DnsStackProd: creating CloudFormation changeset...
0/6 | 00:27:51 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
0/6 | 00:27:51 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) Resource creation Initiated
0/6 | 00:27:56 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata
0/6 | 00:27:57 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated
1/6 | 00:27:57 | CREATE_COMPLETE | AWS::CDK::Metadata | CDKMetadata
2/6 | 00:28:05 | CREATE_COMPLETE | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
2/6 | 00:28:07 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
2/6 | 00:28:08 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) Resource creation Initiated
3/6 | 00:28:22 | CREATE_COMPLETE | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
3/6 | 00:28:24 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
3/6 | 00:28:24 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) Resource creation Initiated
4/6 | 00:28:25 | CREATE_COMPLETE | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
4/6 | 00:28:26 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
4/6 | 00:28:34 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Resource creation Initiated
5/6 | 00:28:35 | CREATE_FAILED | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Failed to create resource. Cannot read property 'Name' of undefined
new CustomResource (/Users/me/Documents/Detelling/cdk/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
\_ new DnsValidatedCertificate (/Users/me/Documents/Detelling/cdk/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:96:25)
\_ new DnsStack (/Users/me/Documents/Detelling/cdk/lib/stacks/dns.ts:28:25)
\_ Object.<anonymous> (/Users/me/Documents/Detelling/cdk/bin/cdk.ts:20:22)
\_ Module._compile (internal/modules/cjs/loader.js:1158:30)
\_ Module.m._compile (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/index.ts:858:23)
\_ Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
\_ Object.require.extensions.<computed> [as .ts] (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/index.ts:861:12)
\_ Module.load (internal/modules/cjs/loader.js:1002:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:901:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ main (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/bin.ts:227:14)
\_ Object.<anonymous> (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/bin.ts:513:3)
\_ Module._compile (internal/modules/cjs/loader.js:1158:30)
\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
\_ Module.load (internal/modules/cjs/loader.js:1002:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:901:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ /Users/me/.nvm/versions/node/v12.16.1/lib/node_modules/npm/node_modules/libnpx/index.js:268:14
5/6 | 00:28:35 | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | DnsStackProd The following resource(s) failed to create: [CertificateCertificateRequestorResource2890C6B7]. . Rollback requested by user.
5/6 | 00:29:04 | DELETE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata
5/6 | 00:29:04 | DELETE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
6/6 | 00:29:04 | DELETE_COMPLETE | AWS::CDK::Metadata | CDKMetadata
7/6 | 00:29:06 | DELETE_COMPLETE | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
7/6 | 00:29:06 | DELETE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
8/6 | 00:29:07 | DELETE_COMPLETE | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
8/6 | 00:29:07 | DELETE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
9/6 | 00:29:08 | DELETE_COMPLETE | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
9/6 | 00:29:08 | DELETE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
10/6 | 00:29:09 | DELETE_COMPLETE | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
โ DnsStackProd failed: Error: The stack named DnsStackProd failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
at /Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/util/cloudformation.ts:254:13
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at waitFor (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/util/cloudformation.ts:166:20)
at Object.deployStack (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/deploy-stack.ts:252:26)
at CdkToolkit.deploy (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:181:24)
at main (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/bin/cdk.ts:250:16)
at initCommandLine (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/bin/cdk.ts:183:9)
The stack named DnsStackProd failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
me@Me-MBP cdk % yarn cdk deploy DnsStackProd
yarn run v1.22.4
$ cdk deploy DnsStackProd
๐ Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForReading
DnsStackProd: deploying...
๐ Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForWriting
[0%] start: Publishing 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
[100%] success: Published 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
DnsStackProd: creating CloudFormation changeset...
0/6 | 00:34:03 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata
0/6 | 00:34:03 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
0/6 | 00:34:03 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) Resource creation Initiated
0/6 | 00:34:04 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated
1/6 | 00:34:04 | CREATE_COMPLETE | AWS::CDK::Metadata | CDKMetadata
2/6 | 00:34:18 | CREATE_COMPLETE | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
2/6 | 00:34:19 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
2/6 | 00:34:20 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) Resource creation Initiated
3/6 | 00:34:34 | CREATE_COMPLETE | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
3/6 | 00:34:35 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
3/6 | 00:34:36 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) Resource creation Initiated
4/6 | 00:34:36 | CREATE_COMPLETE | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
4/6 | 00:34:38 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
4/6 Currently in progress: CertificateCertificateRequestorResource2890C6B7
4/6 | 00:39:25 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Resource creation Initiated
โ
DnsStackProd
Since my app is importing the hosted zone, NS records were definitely present.
asterikx
on 31 May 2020
I removed (commented out) the subjectAlternativeNames, redeployed, and everything deployed without errors on the first try. This obviously isn't a 'fix', since I need those SAN's, but just an interesting observation. I'll try and keep debugging.
const hostedZone = route53.HostedZone.fromLookup(scope, 'HostedZone', {
domainName: 'foo.example.com',
});
const sslCertificate = new acm.DnsValidatedCertificate(this, 'sslCert', {
domainName: 'foo.example.com',
// subjectAlternativeNames: [`*.foo.example.com`, `*.ecs.foo.example.com`],
hostedZone,
});
I'm getting this too but intermittently. Have just ran the same stack two times, first time it failed, then reran it and it worked. Happened a couple of times yesterday too. Was doing the same thing in Python with CDK 1.31 before and never had this problem with multiple deployments, now had it 3/6 times. Now on 1.44 JS I'm getting this issue.
My current stack (with right values passed in) is essentially:
const hostedZone = route53.HostedZone.fromHostedZoneAttributes(
this,
'MainHostLookup',
{
zoneName: hostedDomainUrl,
hostedZoneId: hostedZoneId,
},
)
new certificatemanager.DnsValidatedCertificate(
this,
'EnvironmentCertificate',
{
hostedZone: hostedZone,
domainName: hostedDomainUrl,
region: 'us-east-1',
subjectAlternativeNames: [`*.${hostedDomainUrl}`],
validationMethod: certificatemanager.ValidationMethod.DNS,
},
)
The Python one previously that always worked (I've rewritten in JS for various reasons):
hosted_zone = route53.HostedZone.from_hosted_zone_attributes(
self,
"MainHostLookup",
zone_name=hosted_domain_url,
hosted_zone_id=hosted_zone_id,
)
self.certificate = certificatemanager.DnsValidatedCertificate(
self,
"EnvironmentCertificate",
hosted_zone=hosted_zone,
domain_name=hosted_domain_url,
region="us-east-1",
subject_alternative_names=[f"*.{hosted_domain_url}"],
validation_method=certificatemanager.ValidationMethod.DNS,
Could be Python vs JS or more likely v 1.31 to 1.44 I'm guessing or it could even be CloudFormation/AWS changes since April when I was last running this.
Note it created the certificates successfully in AWS whether this stack passes or not but the CloudFormation fails when it throws this error. For now my workaround will be to delete the certificate and try again till it works. Also I noticed that it took 7 minutes for the certificate to successfully create on CDK/CloudFormation failure but only a couple of minutes after when it worked successfully.
Hope that makes sense, ping me if any questions by all means.
strottos
on 10 Jun 2020
I did a bit more research on this, and it turns out there's actually two Open PR's that aim to fix this:
fix(acm-certificatemanager): DnsValidatedCertificate doesn't wait long enough: #6516fix(DnsValidatedCertificate): add support for subjectAlternativeNames: #7150
Unfortunately both are getting a bit stale, as both PR's have pending, unfinished changes requested by the CDK Team. I think #6516 looks like the better PR, as it solves the root cause of the problem, rather than creating an arbitrary wait mechanism as #7150 does.
rrrix
on 12 Jun 2020
👍1
Same as @strottos
The first time it failed and the second run it pass..
CDK version: 1.45.0 (build 0cfab15)
// Get hosted zone
const hostedZone = route53.HostedZone.fromLookup(this, `hosted-zone-${props.envName}`, { domainName })
// Certificate
const certificate = new certificatemanager.DnsValidatedCertificate(this, `certificate-${domainName}`, {
domainName: domainName,
hostedZone: hostedZone,
region: props.region,
subjectAlternativeNames: [`*.${domainName}`],
})
JPLemelin
on 19 Jun 2020
Just curious, for people effected, does it eventually work or does it consistently fail?
For me, it fails consistently if I have 2 or more subjectAlternativeNames. One or none, always works
Either way, supporting native Cloud Formation DNS sounds like the best solution so hopefully it is available soon
dmcgowandmc
on 23 Jun 2020
Here's my custom construct I'm using to use the native CloudFormation AWS::CertificateManager::Certificate with DNS Validation:
// CfnDnsValidatedCertificate.ts
import { Certificate, CertificateProps, ICertificate, ValidationMethod } from '@aws-cdk/aws-certificatemanager';
import { IHostedZone, IPublicHostedZone } from '@aws-cdk/aws-route53';
import { CfnResource, Construct, Resource } from '@aws-cdk/core';
interface CfnDnsValidatedCertificateProps extends CertificateProps {
hostedZone: IPublicHostedZone;
}
export class CfnDnsValidatedCertificate extends Resource implements ICertificate {
public readonly domainName: string;
public readonly subjectAlternativeNames: string[];
public readonly hostedZone: IHostedZone;
public readonly resource: CfnResource;
public readonly certificate: ICertificate;
public readonly certificateArn: string;
public readonly validationMethod: ValidationMethod = ValidationMethod.DNS;
constructor(scope: Construct, id: string, props: CfnDnsValidatedCertificateProps) {
super(scope, id);
this.domainName = props.domainName;
this.subjectAlternativeNames = props.subjectAlternativeNames;
this.hostedZone = props.hostedZone;
this.resource = new CfnResource(this, 'cfnCertificate', {
type: 'AWS::CertificateManager::Certificate',
properties: {
DomainName: this.domainName,
SubjectAlternativeNames: this.subjectAlternativeNames,
ValidationMethod: ValidationMethod.DNS,
DomainValidationOptions: [
{
DomainName: this.domainName,
HostedZoneId: this.hostedZone.hostedZoneId,
},
],
},
});
this.certificateArn = this.resource.ref;
this.certificate = Certificate.fromCertificateArn(this, 'Resource', this.certificateArn);
}
}
Use it kinda like this:
const hostedZone = PublicHostedZone.fromLookup(this, 'hostedZone', {
domainName: props.envDomainName,
});
this.certificate = new CfnDnsValidatedCertificate(this, 'certificate', {
domainName: domainName,
hostedZone: hostedZone,
});
It's faster, works 100% of the time (with any number of SAN's), cheaper (no Lambda) and has the same great taste of automated DNS Validated ACM Certificates!
rrrix
on 24 Jun 2020
This issue should be reopened. I got the same error using DnsValidatedCertificate with v1.61.0 today. I was able to get it working by switching to using Certificate with CertificateValidation.fromDns.
mikestopcontinues
on 27 Aug 2020
👍1
Same problem with 1.61.1. Please reopen
cweidinger
on 10 Sep 2020
Similar problem with 1.63.0. Thank @mikestopcontinues for workaround solution.
From doc (https://docs.aws.amazon.com/cdk/api/latest/docs/aws-certificatemanager-readme.html) I noticed DnsValidatedCertificate is used only cross-account validation and all other examples are done Certificate and CertificationValidation.fromDns().
heikkis
on 18 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
EduardTheThird
ยท
3Comments
PaulMaddox
ยท
3Comments
eladb
ยท
3Comments
cybergoof
ยท
3Comments
nzspambot
ยท
3Comments