Terraform-provider-aws: aws_acm_certificate can't validate after success

Created on 20 Sep 2018  ·  10Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

2018/09/19 18:23:59 [INFO] Terraform version: 0.11.7 41e50bd32a8825a84535e353c3674af8ce799161
2018/09/19 18:23:59 [INFO] Go runtime version: go1.10.1
2018/09/19 18:23:59 [INFO] CLI args: []string{"/Users/kyle/bin/terraform", "-v"}
2018/09/19 18:23:59 [DEBUG] Attempting to open CLI config file: /Users/kyle/.terraformrc
2018/09/19 18:23:59 Loading CLI configuration from /Users/kyle/.terraformrc
2018/09/19 18:23:59 [INFO] CLI command args: []string{"version", "-v"}
Terraform v0.11.7

  • provider.archive v1.1.0
  • provider.aws v1.37.0

Affected Resource(s)

  • aws_acm_certificate

Debug Output

https://gist.github.com/canadiannomad/1365cebe63686112ae5114c1cdd974c8

Actual Behavior

I have a certificate that is nowhere near renewal time that I created and have been using with terraform for quite some time. Today when I ran a terraform plan I get an error No validation options need to retry
But I'm not in need of validating at this time.

Expected Behavior

Should proceed when

ValidationMethod: "EMAIL",
ValidationStatus: "SUCCESS"

is found.

Steps to Reproduce

  1. Have an existing aws_acm_certificate that is already validated via EMAIL.
resource "aws_acm_certificate" "mysite" {
  domain_name = "mysite.com"
  validation_method = "EMAIL"
}
  1. terraform plan
  2. Errors out with No validation options need to retry

Important Factoids

I'm thinking describe-certificate no longer sends emails when ValidationStatus == SUCCESS

bug servicacm
Source
picture canadiannomad
👍13

Most helpful comment

Ran into this with provider.aws v2.24.0

picture gposton-goodmoney on 29 Oct 2019
👍5

All 10 comments

It seems that the DNS validation has the same issue.

RmMsr picture RmMsr on 6 Nov 2018

Yes can confirm that this is happening for DNS validation in the same way with validation_method = "DNS". Some interesting things I noticed are that for the failing certificates (2),

  • AWS Console / ACM is unable to load Validation Status box (loading spinner, status is Success)
  • the "Export DNS configuration to a file" link is not clickable.

This is not the case for the certificates (3) that work. Additionally for one failing certificate I have discovered that the CNAME records were missing but for the other failing certificate, they were present so this may be unrelated.

All certificates are "Issued" and working.

eguven picture eguven on 6 Nov 2018

We are having the same issue @eguven mentioned.. Is there any workaround?

fridolin-koch picture fridolin-koch on 6 Nov 2018

I got the same issue with DNS validation. I fix it with this workaround:
terraform state rm "aws_acm_certificate.your_certificate"
terraform apply
And then remove the old one on the AWS web console.

alexbescond picture alexbescond on 7 Nov 2018
👍1

I've also hit this when trying to import an existing cert. I saw the caveat about import in the docs but it only mentions non-AMAZON_ISSUED certs, and mine is one.

Edit: Adding the output from aws acm describe-certificate --certificate-arn <redacted arn> --query=Certificate.DomainValidationOptions below:

[
    {
        "DomainName": "example.com",
        "ValidationDomain": "example.com",
        "ValidationStatus": "SUCCESS",
        "ValidationMethod": "EMAIL"
    },
    {
        "DomainName": "*.example.com",
        "ValidationDomain": "example.com",
        "ValidationStatus": "SUCCESS",
        "ValidationMethod": "EMAIL"
    },
    {
        "DomainName": "*.private.example.com",
        "ValidationEmails": [
            "[email protected]",
            "[email protected]",
            "[email protected]",
            "[email protected]",
            "[email protected]",
            "[email protected]",
            "[email protected]"
        ],
        "ValidationDomain": "example.com",
        "ValidationStatus": "SUCCESS",
        "ValidationMethod": "EMAIL"
    }
]
chadasapp picture chadasapp on 19 Dec 2018

Hi folks 👋 Sorry for the trouble here. The fix for this should be merged (although its not possible to acceptance test) and will be released in version 1.54.0 of the AWS provider, very shortly. 👍

bflad picture bflad on 21 Dec 2018

This has been released in version 1.54.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 22 Dec 2018

Ran into this with provider.aws v2.24.0

gposton-goodmoney picture gposton-goodmoney on 29 Oct 2019
👍5

getting it with terraform-provider-aws_v2.33.0_x4, terraform 0.11.14

kevinpgrant picture kevinpgrant on 29 Oct 2019
👍4

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 1 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  3Comments
modax picture modax  ·  3Comments
hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
carmas picture carmas  ·  3Comments