Certificate creation fails

[odbol]

I'm trying to follow these instructions with a domain I bought in Route 53: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/getting-started-secure-static-website-cloudformation-template.html

But every time I run it, I get the error Embedded stack arn:aws:cloudformation:us-east-1:378135112859:stack/amazon-cloudfront-secure-static-site-vl2-test5-AcmCertificateStack-SU36T7Q937HA/8b734f60-416f-11ef-8bd6-0afff044c08b was not successfully created: The following resource(s) failed to create: [Certificate].

I found a more detailed message, although it's still not very helpful: [RRSet with DNS name _1ef508b345bb2bd302d0a1d55d1d6940.test.XXX.com. is not permitted in zone XXX.com., RRSet with DNS name _858a6f8f5ac21f375925a6703d8239cb.XXX.com. is not permitted in zone XXX.com.] (Service: AmazonRoute53; Status Code: 400; Error Code: InvalidChangeBatch; Request ID: 829b3b76-ed81-400d-9d63-d75aa3c27c65; Proxy: null)

I tried creating a certificate manually in ACM manager, and that worked, for the same domain and subdomain. But still the stack creation fails. I've tried with Create Apex as yes and no and it doesn't seem to help.

[ConnorKirk]

Hi @odbol, Thanks for opening an issue.

I don't have enough information to be confident in diagnosing the issue, but I suspect there's an issues with the domain or subdomain values you're specifying, or there is a conflict with existing resources in that hosted zone. I've double check the template itself is working, so let's focus on your specific inputs.

Do you have AWS Support? They would be best placed to help you identify the issue.

[ConnorKirk]

Did you resolve your issue @odbol?

[odbol]

I don't have support yet, but I just signed up for the business support trial so we'll see if that comes through.

Is there any way I can diagnose it myself? The error logs didn't seem to give detailed enough errors. Like it says "RRSet with DNS name _1ef508b345bb2bd302d0a1d55d1d6940.test.XXX.com. is not permitted in zone XXX.com.", but it doesn't say why it's not permitted. And when I add that same domain manually via the UI it works... is there some permissions issue I'm missing here?

[ConnorKirk]

I don't think it is a permissions issue. Normally permissions issues are quite explicit - They look like AccessDeniedException.

I can't tell what the reason is unfortunately.

We can try to rule out some possibilities with the template input parameters:

• The Subdomain parameter should contain just the subdomain (i.e. test rather than test.example.com). The subdomain record should not exist before deployment
• The Domain parameter should be the full domain of the Hosted Zone. The domain records should exist before deployment
• The Hosted Zone ID should be from the hosted zone of the domain.

It doesn't look like you're deploying an Apex domain (e.g. example.com rather than www.example.com). Please correct me if that's wrong.

Let me know if that helps.

[odbol]

Turned out I had the domain name incorrect. 🤦‍♂️

Yes, silly user error, but the fact that there wasn't a straightforward error message that could alert me to the typo I'm attributing as AWS's fault.

[ConnorKirk]

Glad you managed to resolve the issue @odbol . I agree the error message is not clear in this case. I will pass this feedback on to the service team. I'll also see if there are changes I can make in this sample to help future users who might encounter the same issue.