Aws-sdk-js: ACM describeCertificate returning incomplete response

Created on 9 Jul 2018 · 9Comments · Source: aws/aws-sdk-js

Hi guys,

I'm trying to request and validate a certificate using DNS validation to use in a Route53 hostedZone using the client, but I'm not receiving some "DomainValidationOptions" CNAME data to do that.

When I'm call acm.describeCertificatein client, I'm receiving the following response, with the field ResourceRecord (which contains the data to configure Route53) missing for each DomainValidationOption:

{ Certificate: { CertificateArn: 'arn:aws:acm:us-east-1:286442677169:certificate/some-uuid',
  DomainName: 'courses.myportal.com',
  SubjectAlternativeNames:
   [ 'courses.myportal.com',
     '*.courses.myportal.com',
     '*.dev.courses.myportal.com',
     '*.sandbox.myportal.com'],
  DomainValidationOptions:
   [ { DomainName: 'courses.myportal.com',
       ValidationMethod: 'DNS' },
     { DomainName: '*.courses.myportal.com',
       ValidationMethod: 'DNS' },
     { DomainName: '*.dev.courses.myportal.com',
       ValidationMethod: 'DNS' },
     { DomainName: '*.courses.myportal.com',
       ValidationMethod: 'DNS' } ],
  CreatedAt: 2018-07-09T14:10:35.000Z,
  Status: 'PENDING_VALIDATION',
  KeyAlgorithm: 'RSA-2048',
  SignatureAlgorithm: 'SHA256WITHRSA',
  InUseBy: [],
  Type: 'AMAZON_ISSUED',
  KeyUsages: [],
  ExtendedKeyUsages: [],
  RenewalEligibility: 'INELIGIBLE',
  Options: { CertificateTransparencyLoggingPreference: 'ENABLED' } }
}

But, when I call AWS CLI describe-certificate to the same certificate, using the same AWS default credential, I receive a response with ResourceRecord:

{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:286442677169:certificate/f30731f2-df9c-4e02-8255-c87514bcbb2c",
        "Status": "PENDING_VALIDATION",
        "SubjectAlternativeNames": [
            "courses.myportal.com",
            "*.courses.myportal.com",
            "*.dev.courses.myportal.com",
            "*.sandbox.courses.myportal.com"
        ],
        "DomainName": "cursos.portalsonhare.com.br",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        },
        "RenewalEligibility": "INELIGIBLE",
        "InUseBy": [],
        "KeyUsages": [],
        "DomainValidationOptions": [
            {
                "ValidationStatus": "PENDING_VALIDATION",
                "ResourceRecord": {
                    "Type": "CNAME",
                    "Name": "_27d099bdd06af34c7f1a73ff0ff1baef.courses.myportal.com.",
                    "Value": "_844108c3a782171a4b48ffe4b9f902b6.acm-validations.aws."
                },
                "ValidationMethod": "DNS",
                "DomainName": "courses.myportal.com"
            },
            {
                "ValidationStatus": "PENDING_VALIDATION",
                "ResourceRecord": {
                    "Type": "CNAME",
                    "Name": "_27d099bdd06af34c7f1a73ff0ff1baef.cursos.portalsonhare.com.br.",
                    "Value": "_844108c3a782171a4b48ffe4b9f902b6.acm-validations.aws."
                },
                "ValidationMethod": "DNS",
                "DomainName": "*.courses.myportal.com"
            },
            {
                "ValidationStatus": "PENDING_VALIDATION",
                "ResourceRecord": {
                    "Type": "CNAME",
                    "Name": "_053c71c7294eae1b5e288d8ea17dcc24.dev.courses.myportal.com.",
                    "Value": "_b39ee257a476d4e57d24c056875cc7bf.acm-validations.aws."
                },
                "ValidationMethod": "DNS",
                "DomainName": "*.dev.courses.myportal.com"
            },
            {
                "ValidationStatus": "PENDING_VALIDATION",
                "ResourceRecord": {
                    "Type": "CNAME",
                    "Name": "_82589eb105de882f9f30efcf04918370.sandbox.courses.myportal.com.",
                    "Value": "_8c7bdf25a1c846774822d70f8582783a.acm-validations.aws."
                },
                "ValidationMethod": "DNS",
                "DomainName": "*.sandbox.courses.myportal.com"
            }
        ],
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "Type": "AMAZON_ISSUED",
        "ExtendedKeyUsages": [],
        "CreatedAt": 1531145435.0,
        "Subject": "CN=courses.myportal.com"
    }
}

Is this a expected behaviour for AWS ACM? I researched in documentation for ACM and I found nothing explaining this behaviour.

Can you help me?

I'm using node 8.10 on MacOS 10.13.5 with the latest sdk version (2.270.1)

guidance

Source

danielbdias

👍2

Most helpful comment

Hi, @AllanFly120 I'll try do this! For now, I discovered a workaround to my problem.

I'm calling acm.describeCertificate just after acm.requestCertificate, but it seems that ACM doesn't generated the ResourceRecord yet, returning no ResourceRecord after the call.

Thinking about this, I added a "wait" command before calling acm.describeCertificate for the first time in a code very similar to this:

const wait = async function (timeInSeconds) {
  await new Promise(resolve => setTimeout(resolve, timeInSeconds * 1000))
}

async createCertificate(...) {
  //...

  const { CertificateArn } = await acm.requestCertificate(params).promise()

  await wait(10)

  const certificateOptions = await acm.describeCertificate({ CertificateArn }).promise()
  // now it returns ResourceRecord !

  //...
}

And now I can capture the ResouceRecord to validate the certificate with DNS.

The entire process of creating and validating a certificate took about 1 min to me (due the waiting in the validation process), so 10 seconds waiting was not a problem is my case.

Thanks!

danielbdias on 13 Jul 2018

👍2

All 9 comments

Hi @danielbdias, usually we don't alter the response. Can you please provide the original http response body you got? You can log them by this:

acm.describeCertificate(params, function() {
        console.log('origin response: ', this.httpResponse.body.toString());
})

And you can try inspect the http response from CLI as well by attaching --debug at the end of command:

aws acm describe-certificate --certificate-arn XXXXXX --debug

Then search for DEBUG - Response body: you will see the body. If the fields doesn't exist at all then it is possible the CLI adds some customization for this.

AllanZhengYP on 13 Jul 2018

Same here. I need ResourceRecord in client. I am getting the same response. ResourceRecord is missing. Any idea?

ynnr85 on 13 Jul 2018

Hi, @AllanFly120 I'll try do this! For now, I discovered a workaround to my problem.

I'm calling acm.describeCertificate just after acm.requestCertificate, but it seems that ACM doesn't generated the ResourceRecord yet, returning no ResourceRecord after the call.

Thinking about this, I added a "wait" command before calling acm.describeCertificate for the first time in a code very similar to this:

const wait = async function (timeInSeconds) {
  await new Promise(resolve => setTimeout(resolve, timeInSeconds * 1000))
}

async createCertificate(...) {
  //...

  const { CertificateArn } = await acm.requestCertificate(params).promise()

  await wait(10)

  const certificateOptions = await acm.describeCertificate({ CertificateArn }).promise()
  // now it returns ResourceRecord !

  //...
}

And now I can capture the ResouceRecord to validate the certificate with DNS.

The entire process of creating and validating a certificate took about 1 min to me (due the waiting in the validation process), so 10 seconds waiting was not a problem is my case.

Thanks!

danielbdias on 13 Jul 2018

👍2

That's correct Daniel, in an straight process a delay is necessary to get DNS configuration values.

Thanks

ynnr85 on 14 Jul 2018

@danielbdias Thanks for the investigation. I believe this is why we cannot fetch the ResourceRecord at first. Also for your information, our SDK provides a waiter to validate the certificate. You can request a certificate and call waiter, SDK will call describeCertificate automatically for as long as 40 minutes.

acm.waitFor('CertificateValidated', {CertificateArn: 'XXX'}, (err, data) => {
  //do something
})

AllanZhengYP on 14 Jul 2018

👍1

@danielbdias,

It looks like this has been resolved. I'm going to close this issue soon unless there's anything further.

srchase on 15 Aug 2018

👍1

Hi @srchase ,

Ok! This issue is solved.

Thanks!

danielbdias on 16 Aug 2018

Something is not clear to me in this issue: as @AllanFly120 said, there is a waitFor method to wait for certificate validation but in my case (and I understood that @AllanFly120 was in the same case than I) I need to describe the certificate to get the DNS record to set in order for the certificate to validate at some point. So the waitFor method does not help because it won't resolve before I call describeCertificate. So as far as I know this issue is not fixed.

Here is a simplified version of my code to make sure to be understood:

const { CertificateArn } = await acm.requestCertificate({
      DomainName:'example.com',
      ValidationMethod: "DNS"
}).promise()

// I still have no solution to remove this line
await new Promise(resolve => setTimeout(resolve, 5000));

const { Certificate } = await acm.describeCertificate({ CertificateArn: certificateArn }).promise();

// I could not access this record unless I wait for some delay above
const record = Certificate.DomainValidationOptions[0].ResourceRecord

await route53.changeResourceRecordSets({
  HostedZoneId: hostedZone.Id,
  ChangeBatch: {
    Changes: [
      {
        Action: "UPSERT",
        ResourceRecordSet: {
          Name: record.Name,
          Type: record.Type,
          ResourceRecords: [{ Value: record.Value }],
          TTL: 3600
        }
      }
    ]
  }
})
.promise()

await acm.waitFor("certificateValidated", { CertificateArn: certificateArn, $waiter: { delay: 10 }}).promise()

Am I missing something?

nicgirault on 1 Aug 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.