fix(acm): enabled validation of certificates on the zone name (#2133)

As it is now, only certificates with subdomains are correctly validated Got help from @njlaw to find and correct the issue
aws · Apr 11, 2019 · f216f96 · f216f96
1 parent d22a154
commit f216f96
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
@@ -83,7 +83,7 @@ export class DnsValidatedCertificate extends cdk.Construct implements ICertifica
  protected validate(): string[] {
  const errors: string[] = [];
  // Ensure the zone name is a parent zone of the certificate domain name
- if (!this.domainName.endsWith('.' + this.normalizedZoneName)) {
+ if (this.domainName !== this.normalizedZoneName && !this.domainName.endsWith('.' + this.normalizedZoneName)) {
  errors.push(`DNS zone ${this.normalizedZoneName} is not authoritative for certificate domain name ${this.domainName}`);
  }
  return errors;

diff --git a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
@@ -112,4 +112,31 @@ export = {
  test.throws(() => expect(stack), /DNS zone hello.com is not authoritative for certificate domain name example.com/);
  test.done();
  },
+
+ 'test root certificate'(test: Test) {
+ const stack = new Stack();
+
+ const exampleDotComZone = new PublicHostedZone(stack, 'ExampleDotCom', {
+ zoneName: 'example.com'
+ });
+
+ new DnsValidatedCertificate(stack, 'Cert', {
+ domainName: 'example.com',
+ hostedZone: exampleDotComZone,
+ });
+
+ expect(stack).to(haveResource('AWS::CloudFormation::CustomResource', {
+ ServiceToken: {
+ 'Fn::GetAtt': [
+ 'CertCertificateRequestorFunction98FDF273',
+ 'Arn'
+ ]
+ },
+ DomainName: 'example.com',
+ HostedZoneId: {
+ Ref: 'ExampleDotCom4D1B83AA'
+ }
+ }));
+ test.done();
+ },
 };