Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[apigateway] The certificate provided must be owned by the account creating the domain #13512

Closed
Lock128 opened this issue Mar 10, 2021 · 10 comments
Closed

[apigateway] The certificate provided must be owned by the account creating the domain #13512

Lock128 opened this issue Mar 10, 2021 · 10 comments
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed.

Comments

@Lock128
Copy link

Lock128 commented Mar 10, 2021
edited
Loading

I have a manually imported certifcated in ACM in us-east-1 (not part of the CDK stack) and a EDGE API created by CDK in eu-central-1

Unfortunately when trying to deploy the stack I am getting

3/26 | 1:04:21 AM | CREATE_FAILED | AWS::ApiGateway::DomainName | Widgets/Widgets-API/CustomDomain (WidgetsWidgetsAPICustomDomainAFFC7939) Invalid request provided: The certificate provided must be owned by the account creating the domain. (Service: ApiGateway, Status Code: 400, Request ID: 368eb32d-f0e0-442e-b38e-31590def84e4, Extended Request ID: null)
109 | new DomainName (/tmp/jsii-kernel-g3fCMN/node_modules/@aws-cdk/aws-apigateway/lib/domain-name.js:36:26)
110 | _ RestApi.addDomainName (/tmp/jsii-kernel-g3fCMN/node_modules/@aws-cdk/aws-apigateway/lib/restapi.js:83:28)
111 | _ new RestApi (/tmp/jsii-kernel-g3fCMN/node_modules/@aws-cdk/aws-apigateway/lib/restapi.js:409:18)
112 | _ /tmp/jsii-java-runtime2101771176231171458/lib/program.js:2720:58
113 | _ Kernel._wrapSandboxCode (/tmp/jsii-java-runtime2101771176231171458/lib/program.js:3148:24)
114 | _ Kernel._create (/tmp/jsii-java-runtime2101771176231171458/lib/program.js:2720:34)
115 | _ Kernel.create (/tmp/jsii-java-runtime2101771176231171458/lib/program.js:2461:29)
116 | _ KernelHost.processRequest (/tmp/jsii-java-runtime2101771176231171458/lib/program.js:9457:36)
117 | _ KernelHost.run (/tmp/jsii-java-runtime2101771176231171458/lib/program.js:9420:22)
118 | _ Immediate._onImmediate (/tmp/jsii-java-runtime2101771176231171458/lib/program.js:9421:46)
119 | _ processImmediate (internal/timers.js:461:21)

Reproduction Steps

Java code used for API:

String domainName = "api.domain.com";
SecurityPolicy securityPolicy = SecurityPolicy.TLS_1_2;
String certificateArn = "arn:aws:acm:us-east-1:acc:certificate/arn";
ICertificate certificate = Certificate.fromCertificateArn(this, "sslCertificate", certificateArn);
RestApi api = RestApi.Builder.create(this, "Widgets-API").restApiName("Widget Service")
.description("This service services widgets.").domainName(DomainNameOptions.builder()
.domainName(domainName).securityPolicy(securityPolicy).certificate(certificate).build())
.build();

What did you expect to happen?

I was expecting that "api.domain.com" is created as custom domain for the API Gateway

What actually happened?

Got the error message mentioned above

Environment

  • CDK CLI Version : 1.91.0 (build 0f728ce)
  • Framework Version:
  • Node.js Version: v15.8.0
  • OS : LinuxBuildImage.AMAZON_LINUX_2_3
  • Language (Version): Java 11

Other

see above

This is 🐛 Bug Report
@Lock128 Lock128 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 10, 2021
@github-actions github-actions bot added @aws-cdk/aws-apigateway Related to Amazon API Gateway @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager labels Mar 10, 2021
@Lock128
Copy link
Author

Lock128 commented Mar 10, 2021

I already checked that #10529 and #9548 and #9608 do not help, CDK is bootstrapped into us-east-1 and eu-central-1

@nija-at
Copy link
Contributor

nija-at commented Mar 18, 2021

Hey @Lock128 -

This doesn't seem to be related to the CDK.

According to the issue you've linked - #9548 - it seems that the certificate and ApiGateway need to be in the same region and account. However, I'm not intimately aware of the requirements and limitations of ACM.

You will need to contact the relevant teams via AWS support. Let us know if I misunderstood something here and requires attention from the CDK.

@nija-at nija-at added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Mar 18, 2021
@Lock128
Copy link
Author

Lock128 commented Mar 20, 2021

Hey @nija-at

I think t his is a CDK issue as somewhere it automatically references the certificate in the wrong region (in eu-central-1 where the apigateway is deployed, however due to the nature of the APIGateway using cloudfront to provide the HTTPS functionality, the certificate needs to be placed in the us-east-1 region).

Manually I was able to set up the set up the customdomain

Regards
Johannes

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Mar 21, 2021
@nija-at
Copy link
Contributor

nija-at commented Mar 22, 2021

Hey @Lock128 - Thanks for your response.

You will need to provide a code sample and reproduction steps for me to proceed.

@nija-at nija-at added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager labels Mar 22, 2021
@nija-at nija-at changed the title [certificatemanager] The certificate provided must be owned by the account creating the domain. - ApiGateway [apigateway] The certificate provided must be owned by the account creating the domain Mar 22, 2021
@Lock128
Copy link
Author

Lock128 commented Mar 22, 2021

Hey @nija-at

here you are:
https://github.com/Lock128/aws-cdk-13512

in the credentials file I have

[default]
aws_access_key_id=XXX
aws_secret_access_key=YYY
region = eu-central-1

And obviouslyI have removed my ARN here

Let me know if you need anything else

Regards
Johannes

@Lock128

This comment has been minimized.

Sign in to view
@Lock128
Copy link
Author

Lock128 commented Mar 22, 2021

C:\Users\JohannesKoch\git-private\aws-cdk-13512>cdk --version
1.91.0 (build 0f728ce)

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 23, 2021
@nija-at
Copy link
Contributor

nija-at commented Apr 7, 2021

The generated template, references the ARN only in one place, namely the RegionalCertificateArn property and it contains the correct region information -

    "WidgetsAPICustomDomainDC6E303E": {
      "Type": "AWS::ApiGateway::DomainName",
      "Properties": {
        "DomainName": "<##redacted##>",
        "EndpointConfiguration": {
          "Types": [
            "REGIONAL"
          ]
        },
        "RegionalCertificateArn": "<##redacted##>",
        "SecurityPolicy": "TLS_1_2"
      },
      "Metadata": {
        "aws:cdk:path": "AwsCdk13512Stack/Widgets-API/CustomDomain/Resource"
      }
    },

I'm still suspecting that this is something with APIGateway and CloudFormation.

As far as I can tell, I cannot see any other incorrect reference of region.

@nija-at nija-at added needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 7, 2021
@github-actions
Copy link

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jun 17, 2022
@vsuzdaltsev
Copy link

having the same issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Lock128 @njlynch @nija-at @vsuzdaltsev