Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-certificatemanager: DnsValidatedCertificate does not work with multi-zone dns validation #20774

Closed
pergardebrink opened this issue Jun 17, 2022 · 5 comments
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. p1

Comments

@pergardebrink
Copy link

pergardebrink commented Jun 17, 2022

Describe the bug

When requesting a certificate and specifying Subject Alternative Names spanning over multiple Route53 HostedZones and providing a mapping between hostname and hostedzone with CertificateValidation.FromDnsMultiZone, the certificate requestor tries to add validation entries into the hosted zone provided on the DnsValidatedCertificate only

Expected Behavior

DnsValidatedCertificate should use the mappings between name and hosted zone provided in the FromDnsMultiZone mapping

Current Behavior

The custom resource returns the following message during deployment:

Received response status [FAILED] from custom resource. Message returned: [RRSet with DNS name _omitted.example.com. is not permitted in zone another.com.]

Reproduction Steps

Example stack (Python)

from aws_cdk import (
    Stack,
    aws_route53 as route53,
    aws_certificatemanager as acm,
)
from constructs import Construct

class DnsValidationStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        example_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "ExampleZone", hosted_zone_id="AAAAAAAA1111", zone_name="example.com"
        )
        another_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "AnotherZone", hosted_zone_id="BBBBBBBB2222", zone_name="another.com"
        )
        third_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "ThirdZone", hosted_zone_id="CCCCCCCCC3333", zone_name="third.com"
        )

        acm.DnsValidatedCertificate(
            self,
            "SANCertificate",
            domain_name="test.example.com",
            hosted_zone=example_zone,
            subject_alternative_names=["test.another.com", "test.third.com"],
            validation=acm.CertificateValidation.from_dns_multi_zone(
                {"test.example.com": example_zone, "test.another.com": another_zone, "test.third.com": third_zone}
            ),
        )

Possible Solution

The CertificateValidator provided in ICertificate should be used in DnsValidatedCertificate to build the mapping between and passed into the custom resource.

Currently, only subjectAlternativeNames is the input here:

The mappings generated from CertificateValidator should be passed to the creatorlambda in addition to this:

SubjectAlternativeNames: cdk.Lazy.list({ produce: () => props.subjectAlternativeNames }, { omitEmpty: true }),

Additional Information/Context

No response

CDK CLI Version

2.27.0

Framework Version

No response

Node.js Version

v16.13.2

OS

Windows/Linux

Language

Typescript, Python

Language Version

Any

Other information

No response

@pergardebrink pergardebrink added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 17, 2022
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Jun 17, 2022
@NGL321 NGL321 added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Jun 17, 2022
@Rooster212
Copy link

I've also experienced this issue recently - it confused me for a few hours before I worked out that the validation in Certificate Manager was hanging/waiting on a second DNS validation.

In my case, I have a domain name X.uk, a domain name wildcard *.X.uk, and then a subdomain wildcard cert *.dev.X.uk - the subdomain wildcard certificate needs to be validated via a second hosted zone (as I am using another hosted zone for the subdomain)

Pretty clear when you see it like this what the issue is:

Screenshot 2022-06-29 at 13 07 53

For me the workaround will just be to create a certificate that only requires one hosted zone to be used (or i could create 2 certificates). But I look forward to seeing this fixed.

@jamiepmullan
Copy link
Contributor

jamiepmullan commented Aug 2, 2022

@NGL321 Are there any updates on this? Just ran into this problem.

@taylorb-syd
Copy link

Duplicate of #8934, #15217, and #21040. Consolidating issues into #8934.

@comcalvi
Copy link
Contributor

comcalvi commented Sep 1, 2022

please bring discussion on this to #8934.

@comcalvi comcalvi closed this as not planned Won't fix, can't repro, duplicate, stale Sep 1, 2022
@github-actions
Copy link

github-actions bot commented Sep 1, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. p1
Projects
None yet
Development

No branches or pull requests

6 participants