Terraform-provider-aws: ACM certificate: wrong validation email for sub-domain

Hi @ducthien1490

Unfortunately that's not how ACM email validation works, as mentioned in the AWS user guide.

AWS will always send emails to the 5 listed addresses at the requested domains, except when the ACM cert is for www. or *. in which case it will ignore the first label and send to the parent domain.

So for the following domains you should get validation emails sent to the following addresses (plus the other related ones):

example.com     => [email protected]
foo.example.com => [email protected]
www.example.com => [email protected]
*.example.com   => [email protected]

You could create MX records in the sub domain and point them to a mail server or you could switch to DNS validation instead which is generally a better idea unless there's an organisational reason you can't do that.

Prior to ACM supporting DNS validation I would create MX records in the subdomains I needed certs for that pointed to SES and then had a Lambda function automatically process the validation links in the emails that ended up in an S3 bucket. Nowadays it's much easier to just use the DNS validation for ACM certs instead.

@tomelliff : However, I have been successfully validate sub.domain.com on AWS Web Console when AWS ACM automatically recognized foo.example.com as a sub-domain of example.com.
So in my project, I had to manually request certificate for sub-domain and import it to infra code

Can you either point to some docs that show this or explain how to reproduce this outside of Terraform.

It certainly didn't used to be possible and the link to the AWS user guide I posted above also implies that that's still the case but maybe there's something new I'm missing.

Out of curiosity is there a reason you are using email validation instead of DNS validation?

@tomelliff : Sorry, I can't point that out here but I'm pretty sure that it works on Web Console of AWS.
I tried to use DNS validation several times and it took much more time to verify domain than through email because we have permissions to access the domain management

@tomelliff have the same exact issue, can be fixed with an API option, AWS docs below;

https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html (under Notes)

https://docs.aws.amazon.com/acm/latest/APIReference/API_DomainValidationOption.html#ACM-Type-DomainValidationOption-ValidationDomain

Ensure that email is sent to the administrative addresses for an apex domain, such as example.com, rather than to the administrative addresses for a subdomain, such as test.example.com. To do that, specify the ValidationDomain option in the RequestCertificate API or the request-certificate AWS CLI command. This feature is not currently supported when you use the console to request a certificate.

This seems to be the default behaviour when using the AWS Web Console. I tested creating a cert for a sub-domain manually and it just used the apex domain.

Yep, looks like that is an available option right now so I guess this should be a feature request to support the ValidationDomain for email validated ACM certificates.

Cheers will open one.

@ducthien1490 FYI for now I'm just issuing a wildcard cert for each domain (*.domain.com)

This issue looks related to https://github.com/terraform-providers/terraform-provider-aws/issues/3851 so I am going to close this in favor of #3851. If you think this issue is different or was closed in error please feel free to ping the thread and I would gladly reopen.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!