question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

aws-certificatemanager: DnsValidatedCertificate does not work with multi-zone dns validation

See original GitHub issue

Describe the bug

When requesting a certificate and specifying Subject Alternative Names spanning over multiple Route53 HostedZones and providing a mapping between hostname and hostedzone with CertificateValidation.FromDnsMultiZone, the certificate requestor tries to add validation entries into the hosted zone provided on the DnsValidatedCertificate only

Expected Behavior

DnsValidatedCertificate should use the mappings between name and hosted zone provided in the FromDnsMultiZone mapping

Current Behavior

The custom resource returns the following message during deployment:

Received response status [FAILED] from custom resource. Message returned: [RRSet with DNS name _omitted.example.com. is not permitted in zone another.com.]

Reproduction Steps

Example stack (Python)

from aws_cdk import (
    Stack,
    aws_route53 as route53,
    aws_certificatemanager as acm,
)
from constructs import Construct

class DnsValidationStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        example_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "ExampleZone", hosted_zone_id="AAAAAAAA1111", zone_name="example.com"
        )
        another_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "AnotherZone", hosted_zone_id="BBBBBBBB2222", zone_name="another.com"
        )
        third_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "ThirdZone", hosted_zone_id="CCCCCCCCC3333", zone_name="third.com"
        )

        acm.DnsValidatedCertificate(
            self,
            "SANCertificate",
            domain_name="test.example.com",
            hosted_zone=example_zone,
            subject_alternative_names=["test.another.com", "test.third.com"],
            validation=acm.CertificateValidation.from_dns_multi_zone(
                {"test.example.com": example_zone, "test.another.com": another_zone, "test.third.com": third_zone}
            ),
        )

Possible Solution

The CertificateValidator provided in ICertificate should be used in DnsValidatedCertificate to build the mapping between and passed into the custom resource.

Currently, only subjectAlternativeNames is the input here: https://github.com/aws/aws-cdk/blob/4537b3fc1b726dd8cbaadd0c52c35b6f31328e3d/packages/%40aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js#L94

The mappings generated from CertificateValidator should be passed to the creatorlambda in addition to this: https://github.com/aws/aws-cdk/blob/4537b3fc1b726dd8cbaadd0c52c35b6f31328e3d/packages/%40aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts#L123

Additional Information/Context

No response

CDK CLI Version

2.27.0

Framework Version

No response

Node.js Version

v16.13.2

OS

Windows/Linux

Language

Typescript, Python

Language Version

Any

Other information

No response

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:14
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

8reactions
jamiepmullancommented, Aug 2, 2022

@NGL321 Are there any updates on this? Just ran into this problem.

0reactions
github-actions[bot]commented, Sep 1, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Read more comments on GitHub >

github_iconTop Results From Across the Web

class DnsValidatedCertificate (construct) · AWS CDK
A certificate managed by AWS Certificate Manager. Will be automatically validated using DNS validation against the specified Route 53 hosted zone.
Read more >
How To Use AWS Route53 Wildcard Subdomains With CDK
We will need this for the DnsValidatedCertificate . ... You can see above that only the domain changes, but nothing else. At the...
Read more >
AWS CDK Python - Certificate Manager DNS Validation with ...
cert_dns_val = DnsValidatedCertificate( self, 'DnsValidation', ... I do not know or understand why this works, but will take it anyways.
Read more >
@aws-cdk/aws-certificatemanager - npm
See also Validate with DNS in the AWS Certificate Manager User Guide. ... If Route 53 is not your DNS provider, the DNS...
Read more >
Deploy highly available multi-tiers website using AWS CDK
DnsValidatedCertificate (this, `FrontendCertificate`, { domainName: region.domain, region: 'us-east-1', hostedZone: hostedZone, validation: acm.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found