aws-certificatemanager: DnsValidatedCertificate does not work with multi-zone dns validation

[pergardebrink]

Describe the bug

When requesting a certificate and specifying Subject Alternative Names spanning over multiple Route53 HostedZones and providing a mapping between hostname and hostedzone with CertificateValidation.FromDnsMultiZone, the certificate requestor tries to add validation entries into the hosted zone provided on the DnsValidatedCertificate only

Expected Behavior

DnsValidatedCertificate should use the mappings between name and hosted zone provided in the FromDnsMultiZone mapping

Current Behavior

The custom resource returns the following message during deployment:

Received response status [FAILED] from custom resource. Message returned: [RRSet with DNS name _omitted.example.com. is not permitted in zone another.com.]

Reproduction Steps

Example stack (Python)

from aws_cdk import (
    Stack,
    aws_route53 as route53,
    aws_certificatemanager as acm,
)
from constructs import Construct

class DnsValidationStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        example_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "ExampleZone", hosted_zone_id="AAAAAAAA1111", zone_name="example.com"
        )
        another_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "AnotherZone", hosted_zone_id="BBBBBBBB2222", zone_name="another.com"
        )
        third_zone = route53.HostedZone.from_hosted_zone_attributes(
            self, "ThirdZone", hosted_zone_id="CCCCCCCCC3333", zone_name="third.com"
        )

        acm.DnsValidatedCertificate(
            self,
            "SANCertificate",
            domain_name="test.example.com",
            hosted_zone=example_zone,
            subject_alternative_names=["test.another.com", "test.third.com"],
            validation=acm.CertificateValidation.from_dns_multi_zone(
                {"test.example.com": example_zone, "test.another.com": another_zone, "test.third.com": third_zone}
            ),
        )

Possible Solution

The CertificateValidator provided in ICertificate should be used in DnsValidatedCertificate to build the mapping between and passed into the custom resource.

Currently, only subjectAlternativeNames is the input here:

aws-cdk/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js

Line 94 in 4537b3f

SubjectAlternativeNames: subjectAlternativeNames,

The mappings generated from CertificateValidator should be passed to the creatorlambda in addition to this:

aws-cdk/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts

Line 123 in 4537b3f

SubjectAlternativeNames: cdk.Lazy.list({ produce: () => props.subjectAlternativeNames }, { omitEmpty: true }),

Additional Information/Context

No response

CDK CLI Version

2.27.0

Framework Version

No response

Node.js Version

v16.13.2

OS

Windows/Linux

Language

Typescript, Python

Language Version

Any

Other information

No response

[Rooster212]

I've also experienced this issue recently - it confused me for a few hours before I worked out that the validation in Certificate Manager was hanging/waiting on a second DNS validation.

In my case, I have a domain name X.uk, a domain name wildcard *.X.uk, and then a subdomain wildcard cert *.dev.X.uk - the subdomain wildcard certificate needs to be validated via a second hosted zone (as I am using another hosted zone for the subdomain)

Pretty clear when you see it like this what the issue is:

For me the workaround will just be to create a certificate that only requires one hosted zone to be used (or i could create 2 certificates). But I look forward to seeing this fixed.

[jamiepmullan]

@NGL321 Are there any updates on this? Just ran into this problem.

[taylorb-syd]

Duplicate of #8934, #15217, and #21040. Consolidating issues into #8934.

[comcalvi]

please bring discussion on this to #8934.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.