Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[aws-certificatemanager] New DNS validation method not working due to route53 error
See original GitHub issueI saw that there was a new preferred way of creating certificates via DNS validation: https://github.com/aws/aws-cdk/pull/8552. I tried replacing our current DnsValidatedCertificate resources with Certificate with DNS validation method specified for validation, but it doesn’t seem to work for me as it gets a route53 error: Service: AmazonRoute53; Status Code: 400; Error Code: InvalidChangeBatch;. After switching back to DnsValidatedCertificate, it starts working again.
Reproduction Steps
This is the DnsValidatedCertificate method that works:
const externalHostedZone = route53.HostedZone.fromHostedZoneAttributes(this, 'ExternalHostedZone', {
hostedZoneId: props.externalZoneId,
zoneName: props.domainName
});
this.defaultCertificate = new certificatemanager.DnsValidatedCertificate(this, 'DefaultCertificate', {
domainName: '*.' + externalHostedZone.zoneName,
hostedZone: externalHostedZone,
subjectAlternativeNames: [externalHostedZone.zoneName]
});
And this doesn’t work:
const externalHostedZone = route53.HostedZone.fromHostedZoneAttributes(this, 'ExternalHostedZone', {
hostedZoneId: props.externalZoneId,
zoneName: props.domainName
});
this.defaultCertificate = new certificatemanager.Certificate(this, 'DefaultCertificate', {
domainName: '*.' + externalHostedZone.zoneName,
validation: certificatemanager.CertificateValidation.fromDns(externalHostedZone),
subjectAlternativeNames: [externalHostedZone.zoneName]
});
Error Log
I first see a message that looks like it’s attempting the correct DNS record:
Content of DNS Record is: {Name: _64bdf27fde66ffe03781a30f892765aa.shopvox-dev.com.,Type: CNAME,Value: _f747a4bd656f7214046e0c2be79f5c0e.tfmgdnztqk.acm-validations.aws.}
followed by
[The request contains an invalid set of changes for a resource record set 'CNAME _64bdf27fde66ffe03781a30f892765aa.shopvox-dev.com.'] (Service: AmazonRoute53; Status Code: 400; Error Code: InvalidChangeBatch; Request ID: fb78d552-8545-4e05-9869-d7d9a5e6dc1e)
Environment
- CLI Version : 1.54
- Framework Version: 1.54
- Node.js Version: v14.4.0
- OS :
- Language (Version): Typescript 3.7.5
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Also hitting this, though it seems to only be an issue when the hosted zone is from
HostedZone.fromHostedZoneAttributesas the same codepath works fine when the hosted zone is created by the app which is generating the certificate.I’m experiencing a potential regression of this issue while attempting to create a certificate with both a domainName of
example.comand an alternative name of*.example.comon cdk version 1.98.0Fortunately I have a comprehensive list of subdomains for this stack I can use as a workaround, but I’m curious if others are also experiencing this issue again.