Hi,

I am trying to add SubjectAlternativeNames to add additional domain (e.g..additional.example.com)
I am following this syntax:
Properties:
SubjectAlternativeNames:
- additional.example.com

But CFT throwing the below error:
Received response status [FAILED] from custom resource. Message returned: DomainValidationOptions missing for additional.example.com (RequestId: 9758388c-7dba-4c2a-a15b-bfa8f06a0931)

Can you please let me know why Lambda is sending FAILED status to CFT and kindly provide the update.

Regards,
Rekha

Hi,

from botocore.vendored import requests
...
response = requests.put(event['ResponseURL'], json=event, headers={'content-type': ''})

raises this warning in the logs:

/var/runtime/botocore/vendored/requests/api.py:67: DeprecationWarning: You are using the put() function from 'botocore.vendored.requests'. This is not a public API in botocore and will be removed in the future. Additionally, this version of requests is out of date. We recommend you install the requests package, 'import requests' directly, and use the requests.put() function instead.

Given the short release cycles of boto3/botocore, it is possible that this will break in a not too distant future. It is possible to fix this before then?

Thanks in advance,
BR.

When a large number of certificates exists, this requests to fetch the certificate's tags:

https://github.com/dflook/cloudformation-dns-certificate/blob/master/src/troposphere_dns_certificate/certificate.py#L124

causes a throttling exception. I think that a nice solution would be to check if p['DomainName'] == certificate['DomainName'] (Not sure if we need case sensitivity and/or a trailing .) before attempting to fetch the tags. Is this a good idea?

Since yesterday we are running into the issue that the Lambda fails with the following error:

Traceback (most recent call last):
File "/var/task/index.py", line 74, in handler
j()
File "/var/task/index.py", line 57, in j
for F in K[Z]:
KeyError: 'DomainValidationOptions'

Apparently this is because the first call to describe_certificate here does not return DomainValidationOptions. After adding a sleep(10) directly in front of the describe_certificate it starts working again.

Take the following example..

The lambda is unhappy because it appears to be looking for another HostedZoneId for *.mywebsite.com, however there isn't a documented location to put the next HostedZoneId or why it is needed since they would likely share the same zone.

"DomainValidationOptions":[
{
"DomainName":"mywebsite.com",
"HostedZoneId":"123456789"
}
],
"DomainName":"mywebsite.com",
"ValidationMethod":"DNS",
"SubjectAlternativeNames":[
"*.mywebsite.com"
],
"Tags":[
{
"Value":"Example Certificate",
"Key":"Name"
}
]

cfn-lint issues a warning I3042 on the provided templates. I made a PR with a fix and provide more detail in the PR description: #18 . Feel free to close this without merging if you think it isn't necessary.

I'm wondering if there's a way to retrieve the ARN of the created certificate, directly from CloudFormation.

Hi,

using the sample code from cloudformation.yaml (version 1.7.1), generating a domain validated cert in ACM with an Route53 zone works fine. However, when the CF stack is removed, the ACM certificate is removed as expected, but the CNAME record used for initial domain validation remains in the Route53 hosted zone. Is this an intentional behavior or it that use case not covered as of yet? Or should that work, and I somehow missed something?
I could provide an CF stack and/or logfiles, if required.

Thanks in advance, and thanks providing this very useful module sample.

BR.

Hi,

I have a use case whereby the certificate contains some domains that are managed externally (outside of Route53). For these domains it would be useful to have an option to skip the attempt to create the validation records (otherwise the certificate creation fails).

Best regards,
RJ

Hi Daniel-

First and foremost - thanks for this excellent repo, which I've used with great success to automate the creation and provisioning of ACM certificates with Route53 HostedZone DNS verification. Super-slick with the inline Lambda to create the required validation records!

I'm not trying to leverage in a more complex environment, where the Route53 HostedZone is in another account than where I'm trying to generate / issue the certs. I've created the role in the account with the Route53 Hosted Zone:

arn:aws:iam::############:role/RoleAllowedToEditHostedZone

which has the appropriate permissions to manage the hosted zone.

However, when the template runs (from the 'target' account, where I'm creating the certificate) - it fails, every time, when it gets to the certificate resource. It throws the error:

Failed to create resource. Parameter validation failed: Unknown parameter in input: "Route53RoleArn", must be one of: DomainName, ValidationMethod, SubjectAlternativeNames, IdempotencyToken, DomainValidationOptions, Options, CertificateAuthorityArn

This makes sense to me, since the Route53RoleArn doesn't appear in the CloudFormation docs for that resource type:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html

Am I reading your docs wrong? Ahh - I see that it's not actually a resource of Type: AWS::CertificateManager::Certificate - but rather, Custom::DNSCertificate - so perhaps this IS a valid attribute / parameter for this object type?

Any guidance / assistance is much appreciated: Thank You!

Hey first off, many thanks for the awesome custom resource. It's super helpful!

It appears that everything is working correctly but I'm running into a timeout issue where the ACM cert gets stuck in a "pending validation" state.

Have you ever seen this before?

The CNAME was successfully created in Route53

And the custom resource lambda is doing its job (per its logs)

However, when the max execution time hits, the stack creation fails 😅

Any ideas on how I might be able to resolve this?

Many thanks!

Shouldn't we get the README updated and add a new section for the CF CertificateManage updates?
Since, June 2020 CloudFormation AWS::CertificateManager::Certificate allows you to specify the Route53 hosted zone, in which to insert the validation records.

You can automate the provisioning of ACM certificates with DNS with a single resource. Below you see the required AWS::CertificateManager::Certificate resource:

 Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: !Ref DomainName
      ValidationMethod: DNS
      DomainValidationOptions:
        - DomainName: !Ref DomainName
          HostedZoneId: !Ref HostedZoneId

This will create the required DNS validation records for the domain in the specified route53 hosted zone.

I've hit a race condition when creating/updating a large number of certificates.

While in find_certificate, and checking whether the certificate domain name matches:

https://github.com/dflook/cloudformation-dns-certificate/blob/master/src/troposphere_dns_certificate/certificate.py#L126

I occasionally encounter a certificate object which does not contain a DomainName, leading to a KeyError.

Is it a good idea to change the conditional to something like:

domain_name = certificate.get('DomainName')
if domain_name and p['DomainName'].lower() == domain_name:
    ...

So that if the certificate is 'being created', and does not contain a domain name, then it checks the tags.

First and foremost: Thanks for this outstanding tool, which we have used extensively to really streamline and enhance our interaction with ACM across a large collection of accounts. Great stuff!

I've long since avoided the use of SANs - in part, because it's so easy to crank out whatever vanity FQDN a team may require / desire. However, I find myself with a use case requiring a SAN - and for whatever reason, I can't seem to get the DomainValidation records created. I've experimented a bit with where I place the SubjectAlternativeNames: property, and can get some different results based on that placement - but can't seem to get the validation records to be created.

I'm even starting with the SIMPLE scenario where I'm trying to include a SAN from the same sub-domain / Route53 Hosted Zone. Ultimately, I need to include a SAN from a 'foreign' (non-Route53 hosted) domain - but I'll cross that bridge when I come to it.

I'm using syntax that looks like this, for my custom resource:

 GeneratedCertificate:
    Properties:
      DomainName: !Ref pCertificateSubject
      SubjectAlternativeNames:
        - !Ref pSubjectAlternativeName
      DomainValidationOptions:
        - DomainName: !Ref pCertificateSubject
          HostedZoneId: !Ref pHostedZoneId
      ServiceToken: !GetAtt 'CustomAcmCertificateLambda.Arn'
      Route53RoleArn: !Ref pRoute53AssumedRoleArn
      Tags:
        - Key: Name
          Value: !Ref pCertificateSubject
        - Key: Owner
          Value: !Ref pCFNOwnerTag
        - Key: App
          Value: !Ref pAppName
        - Key: Env
          Value: !Ref pEnv
      ValidationMethod: DNS
    Type: Custom::DNSCertificate

and when it executes, I'm getting a "CREATE_FAILED" with an error:

Received response status [FAILED] from custom resource. Message returned: DomainValidationOptions missing for mysanvalue.example.com (RequestId: 24307790-d42e-4608-94b9-c0d4b1a89631)

(SAN value changed to protect the innocent. Both the Subject, and the SAN, are both within the same Route53 Hosted Zone).

What am I doing wrong? At first I thought perhaps the SAN required it's own DomainValidationOptions - experimented with that, but then looking at the README - that doens't seem to be the case. I'm sure it's something obvious, whatever it is... :)

Thanks again for this super helpful tool!

Is it possible to make DomainValidationOptions optional as it is in CloudFormation?