search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.58k stars 3.88k forks source link

DNS Validated Certificate Error: Failed to create resource. Cannot read property 'Name' of undefined #8282

Closed rrrix closed 2 years ago

rrrix commented 4 years ago

When deploying a new DNS Validated Certificate, I keep getting an error:

 26/41 | 5:34:32 PM | CREATE_FAILED        | AWS::CloudFormation::CustomResource        | sslCert/CertificateRequestorResource/Default (sslCertCertificateRequestorResource595CEBB2) Failed to create resource. Cannot read property 'Name' of undefined
    new CustomResource (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
    \_ new DnsValidatedCertificate (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:96:25)
    \_ new SharedService (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/services/shared.ts:64:28)
    \_ /Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:32:26
    \_ Generator.next (<anonymous>)
    \_ fulfilled (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:6:58)
    \_ processTicksAndRejections (internal/process/task_queues.js:97:5)

Reproduction Steps

    const hostedZone = route53.HostedZone.fromLookup(scope, 'HostedZone', {
      domainName: 'foo.example.com',
    });
    const sslCertificate = new acm.DnsValidatedCertificate(this, 'sslCert', {
      domainName: 'foo.example.com',
      subjectAlternativeNames: [`*.foo.example.com`, `*.ecs.foo.example.com`],
      hostedZone,
    });

Error Log

Error log from cdk deploy:

 26/41 | 5:34:32 PM | CREATE_FAILED        | AWS::CloudFormation::CustomResource        | sslCert/CertificateRequestorResource/Default (sslCertCertificateRequestorResource595CEBB2) Failed to create resource. Cannot read property 'Name' of undefined
    new CustomResource (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
    \_ new DnsValidatedCertificate (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:96:25)
    \_ new SharedService (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/services/shared.ts:64:28)
    \_ /Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:32:26
    \_ Generator.next (<anonymous>)
    \_ fulfilled (/Users/rbowen/dev/git/rapticore/glass-comb/Infrastructure/cdk/src/index.ts:6:58)
    \_ processTicksAndRejections (internal/process/task_queues.js:97:5)

Error log from Custom Resource Lambda Function:

START RequestId: 95303a13-0749-445a-a0c8-d28bbb2f9300 Version: $LATEST
--
  | 2020-05-30T00:16:53.288Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Requesting certificate for foo.example.com
  | 2020-05-30T00:16:54.706Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Certificate ARN: arn:aws:acm:us-west-2:422753814403:certificate/bb2aa334-6823-4b41-ad85-776b2148179f
  | 2020-05-30T00:16:54.706Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Waiting for ACM to provide DNS records for validation...
  | 2020-05-30T00:16:59.198Z 95303a13-0749-445a-a0c8-d28bbb2f9300 INFO Caught error TypeError: Cannot read property 'Name' of undefined. Uploading FAILED message to S3.
  | END RequestId: 95303a13-0749-445a-a0c8-d28bbb2f9300
  | REPORT RequestId: 95303a13-0749-445a-a0c8-d28bbb2f9300 Duration: 6166.16 ms Billed Duration: 6200 ms Memory Size: 128 MB Max Memory Used: 87 MB Init Duration: 419.89 ms
  | START RequestId: 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf Version: $LATEST
  | 2020-05-30T00:17:22.071Z 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf INFO Uploading SUCCESS response to S3...
  | 2020-05-30T00:17:22.145Z 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf INFO Done.
  | END RequestId: 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf
  | REPORT RequestId: 15f7c8db-a5a7-4bd5-9eb1-2b387cc7a1bf Duration: 76.01 ms Billed Duration: 100 ms Memory Size: 128 MB Max Memory Used: 87 MB

Environment

Other

I can only find two places where there's a reference to a .Name property in the DNS Validated Certificate Lambda function:

https://github.com/aws/aws-cdk/blob/cb71f340343011a2a2de9758879a56e898b8e12c/packages/%40aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js#L116

https://github.com/aws/aws-cdk/blob/cb71f340343011a2a2de9758879a56e898b8e12c/packages/%40aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js#L137

I believe it's the first, (dns_validated_certificate_handler/lib/index.js#L116) since the last message to appear before the error is thrown is Waiting for ACM to provide DNS records for validation....

Here's the code in question:

  let records;
  for (let attempt = 0; attempt < maxAttempts && !records; attempt++) {
    const { Certificate } = await acm.describeCertificate({
      CertificateArn: reqCertResponse.CertificateArn
    }).promise();
    const options = Certificate.DomainValidationOptions || [];
    if (options.length > 0 && options[0].ResourceRecord) {
      // some alternative names will produce the same validation record
      // as the main domain (eg. example.com + *.example.com)
      // filtering duplicates to avoid errors with adding the same record
      // to the route53 zone twice
      const unique = options
        .map((val) => val.ResourceRecord)
        .reduce((acc, cur) => {
          acc[cur.Name] = cur;
          return acc;
        }, {});
      records = Object.keys(unique).sort().map(key => unique[key]);
    } else {
      // Exponential backoff with jitter based on 200ms base
      // component of backoff fixed to ensure minimum total wait time on
      // slow targets.
      const base = Math.pow(2, attempt);
      await sleep(random() * base * 50 + base * 150);
    }
  }

A note regarding the Certificate naming and Route53 hosted zone:

The hosted zone is a subdomain (e.g. foo.example.com - changed for anonymity), and I'm adding a few extra wildcards:

Here's the generated CloudFormation Resource:

    "sslCertCertificateRequestorResource595CEBB2": {
      "Type": "AWS::CloudFormation::CustomResource",
      "Properties": {
        "ServiceToken": {
          "Fn::GetAtt": [
            "sslCertCertificateRequestorFunction9B246BD8",
            "Arn"
          ]
        },
        "DomainName": "foo.example.com",
        "SubjectAlternativeNames": [
          "*.foo.example.com",
          "*.ecs.foo.example.com"
        ],
        "HostedZoneId": "Z03098442SVHOB89V0UJ8"
      },
      "UpdateReplacePolicy": "Delete",
      "DeletionPolicy": "Delete",
      "Metadata": {
        "aws:cdk:path": "rapticore-shared-dev1/sslCert/CertificateRequestorResource/Default"
      }
    },

Here's the Certificate Object being queried over in the referenced code:

{
  CertificateArn: 'arn:aws:acm:us-west-2:xxxxxxxxxxxx:certificate/xxxxxxx-xxxx-xxxx-xxxx-c11448b8b212',
  DomainName: 'foo.example.com',
  SubjectAlternativeNames: [
    'foo.example.com',
    '*.foo.example.com',
    '*.ecs.foo.example.com'
  ],
  DomainValidationOptions: [
    {
      DomainName: 'foo.example.com',
      ValidationDomain: 'foo.example.com',
      ValidationStatus: 'PENDING_VALIDATION',
      ResourceRecord: {
        Name: '_6a2843a8394c544fd6b25e23c55b4f54.foo.example.com.',
        Type: 'CNAME',
        Value: '_19a5e04eef1d6f5abxxxxxxxxx.auiqqraehs.acm-validations.aws.'
      },
      ValidationMethod: 'DNS'
    },
    {
      DomainName: '*.foo.example.com',
      ValidationDomain: '*.foo.example.com',
      ValidationStatus: 'PENDING_VALIDATION',
      ResourceRecord: {
        Name: '_6a2843a8394c544fd6b25e23c55b4f54.foo.example.com.',
        Type: 'CNAME',
        Value: '_19a5e04eef1dxxxxxxxxxxxxxxxx.auiqqraehs.acm-validations.aws.'
      },
      ValidationMethod: 'DNS'
    },
    {
      DomainName: '*.ecs.foo.example.com',
      ValidationDomain: '*.ecs.foo.example.com',
      ValidationStatus: 'PENDING_VALIDATION',
      ResourceRecord: {
        Name: '_7b0601b191a2975acf066452963eaa76.ecs.foo.example.com.',
        Type: 'CNAME',
        Value: '_03e3b0d8b31e48fe9xxxxxxxxxxxxx.auiqqraehs.acm-validations.aws.'
      },
      ValidationMethod: 'DNS'
    }
  ],
  Subject: 'CN=foo.example.com',
  Issuer: 'Amazon',
  CreatedAt: 2020-05-30T00:34:28.000Z,
  Status: 'PENDING_VALIDATION',
  KeyAlgorithm: 'RSA-2048',
  SignatureAlgorithm: 'SHA256WITHRSA',
  InUseBy: [],
  Type: 'AMAZON_ISSUED',
  KeyUsages: [],
  ExtendedKeyUsages: [],
  RenewalEligibility: 'INELIGIBLE',
  Options: { CertificateTransparencyLoggingPreference: 'ENABLED' }
}

This is :bug: Bug Report

asterikx commented 4 years ago

@rrrix The same mistake happened to me some time ago.

Does the zone for your apex domain example.com have an NS record for your subdomain foo.example.com (see docs)?

In my case, I forgot to add the NS record to the apex domain. After I added the NS record, all went well. I don't know if that was causing the problem, but it kinda makes sense.

Error handling could be improved though ;)

asterikx commented 4 years ago

Forget what I said. I just experienced the same error again while moving my stacks to another region. The first deploy failed, the second succeeded.

me@Me-MBP cdk % yarn cdk deploy DnsStackProd
yarn run v1.22.4
$ cdk deploy DnsStackProd

 🚀  Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForReading

This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────────────────────────┬────────┬─────────────────────────────────┬──────────────────────────────────┬───────────┐
│   │ Resource                        │ Effect │ Action                          │ Principal                        │ Condition │
├───┼─────────────────────────────────┼────────┼─────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${Certificate/CertificateReques │ Allow  │ sts:AssumeRole                  │ Service:lambda.amazonaws.com     │           │
│   │ torFunction/ServiceRole.Arn}    │        │                                 │                                  │           │
├───┼─────────────────────────────────┼────────┼─────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ *                               │ Allow  │ acm:DeleteCertificate           │ AWS:${Certificate/CertificateReq │           │
│   │                                 │        │ acm:DescribeCertificate         │ uestorFunction/ServiceRole}      │           │
│   │                                 │        │ acm:RequestCertificate          │                                  │           │
│ + │ *                               │ Allow  │ route53:GetChange               │ AWS:${Certificate/CertificateReq │           │
│   │                                 │        │                                 │ uestorFunction/ServiceRole}      │           │
├───┼─────────────────────────────────┼────────┼─────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ arn:${AWS::Partition}:route53:: │ Allow  │ route53:changeResourceRecordSet │ AWS:${Certificate/CertificateReq │           │
│   │ :hostedzone/ZXXX                │        │ s                               │ uestorFunction/ServiceRole}      │           │
│   │ H                               │        │                                 │                                  │           │
└───┴─────────────────────────────────┴────────┴─────────────────────────────────┴──────────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬─────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│   │ Resource                                                    │ Managed Policy ARN                                          │
├───┼─────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ + │ ${Certificate/CertificateRequestorFunction/ServiceRole}     │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambd │
│   │                                                             │ aBasicExecutionRole                                         │
└───┴─────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Do you wish to deploy these changes (y/n)? y
DnsStackProd: deploying...

 🚀  Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForWriting

[0%] start: Publishing 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
[100%] success: Published 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
DnsStackProd: creating CloudFormation changeset...
 0/6 | 00:27:51 | CREATE_IN_PROGRESS   | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) 
 0/6 | 00:27:51 | CREATE_IN_PROGRESS   | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) Resource creation Initiated
 0/6 | 00:27:56 | CREATE_IN_PROGRESS   | AWS::CDK::Metadata                  | CDKMetadata 
 0/6 | 00:27:57 | CREATE_IN_PROGRESS   | AWS::CDK::Metadata                  | CDKMetadata Resource creation Initiated
 1/6 | 00:27:57 | CREATE_COMPLETE      | AWS::CDK::Metadata                  | CDKMetadata 
 2/6 | 00:28:05 | CREATE_COMPLETE      | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) 
 2/6 | 00:28:07 | CREATE_IN_PROGRESS   | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) 
 2/6 | 00:28:08 | CREATE_IN_PROGRESS   | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) Resource creation Initiated
 3/6 | 00:28:22 | CREATE_COMPLETE      | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) 
 3/6 | 00:28:24 | CREATE_IN_PROGRESS   | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) 
 3/6 | 00:28:24 | CREATE_IN_PROGRESS   | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) Resource creation Initiated
 4/6 | 00:28:25 | CREATE_COMPLETE      | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) 
 4/6 | 00:28:26 | CREATE_IN_PROGRESS   | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) 
 4/6 | 00:28:34 | CREATE_IN_PROGRESS   | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Resource creation Initiated
 5/6 | 00:28:35 | CREATE_FAILED        | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Failed to create resource. Cannot read property 'Name' of undefined
        new CustomResource (/Users/me/Documents/Detelling/cdk/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
        \_ new DnsValidatedCertificate (/Users/me/Documents/Detelling/cdk/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:96:25)
        \_ new DnsStack (/Users/me/Documents/Detelling/cdk/lib/stacks/dns.ts:28:25)
        \_ Object.<anonymous> (/Users/me/Documents/Detelling/cdk/bin/cdk.ts:20:22)
        \_ Module._compile (internal/modules/cjs/loader.js:1158:30)
        \_ Module.m._compile (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/index.ts:858:23)
        \_ Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
        \_ Object.require.extensions.<computed> [as .ts] (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/index.ts:861:12)
        \_ Module.load (internal/modules/cjs/loader.js:1002:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:901:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
        \_ main (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/bin.ts:227:14)
        \_ Object.<anonymous> (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/bin.ts:513:3)
        \_ Module._compile (internal/modules/cjs/loader.js:1158:30)
        \_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
        \_ Module.load (internal/modules/cjs/loader.js:1002:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:901:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
        \_ /Users/me/.nvm/versions/node/v12.16.1/lib/node_modules/npm/node_modules/libnpx/index.js:268:14
 5/6 | 00:28:35 | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack          | DnsStackProd The following resource(s) failed to create: [CertificateCertificateRequestorResource2890C6B7]. . Rollback requested by user.
 5/6 | 00:29:04 | DELETE_IN_PROGRESS   | AWS::CDK::Metadata                  | CDKMetadata 
 5/6 | 00:29:04 | DELETE_IN_PROGRESS   | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) 
 6/6 | 00:29:04 | DELETE_COMPLETE      | AWS::CDK::Metadata                  | CDKMetadata 
 7/6 | 00:29:06 | DELETE_COMPLETE      | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) 
 7/6 | 00:29:06 | DELETE_IN_PROGRESS   | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) 
 8/6 | 00:29:07 | DELETE_COMPLETE      | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) 
 8/6 | 00:29:07 | DELETE_IN_PROGRESS   | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) 
 9/6 | 00:29:08 | DELETE_COMPLETE      | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) 
 9/6 | 00:29:08 | DELETE_IN_PROGRESS   | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) 
 10/6 | 00:29:09 | DELETE_COMPLETE      | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) 

 ❌  DnsStackProd failed: Error: The stack named DnsStackProd failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
    at /Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/util/cloudformation.ts:254:13
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at waitFor (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/util/cloudformation.ts:166:20)
    at Object.deployStack (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/deploy-stack.ts:252:26)
    at CdkToolkit.deploy (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:181:24)
    at main (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/bin/cdk.ts:250:16)
    at initCommandLine (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/bin/cdk.ts:183:9)
The stack named DnsStackProd failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
me@Me-MBP cdk % yarn cdk deploy DnsStackProd
yarn run v1.22.4
$ cdk deploy DnsStackProd

 🚀  Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForReading

DnsStackProd: deploying...

 🚀  Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForWriting

[0%] start: Publishing 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
[100%] success: Published 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
DnsStackProd: creating CloudFormation changeset...
 0/6 | 00:34:03 | CREATE_IN_PROGRESS   | AWS::CDK::Metadata                  | CDKMetadata 
 0/6 | 00:34:03 | CREATE_IN_PROGRESS   | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) 
 0/6 | 00:34:03 | CREATE_IN_PROGRESS   | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) Resource creation Initiated
 0/6 | 00:34:04 | CREATE_IN_PROGRESS   | AWS::CDK::Metadata                  | CDKMetadata Resource creation Initiated
 1/6 | 00:34:04 | CREATE_COMPLETE      | AWS::CDK::Metadata                  | CDKMetadata 
 2/6 | 00:34:18 | CREATE_COMPLETE      | AWS::IAM::Role                      | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) 
 2/6 | 00:34:19 | CREATE_IN_PROGRESS   | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) 
 2/6 | 00:34:20 | CREATE_IN_PROGRESS   | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) Resource creation Initiated
 3/6 | 00:34:34 | CREATE_COMPLETE      | AWS::IAM::Policy                    | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) 
 3/6 | 00:34:35 | CREATE_IN_PROGRESS   | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) 
 3/6 | 00:34:36 | CREATE_IN_PROGRESS   | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) Resource creation Initiated
 4/6 | 00:34:36 | CREATE_COMPLETE      | AWS::Lambda::Function               | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) 
 4/6 | 00:34:38 | CREATE_IN_PROGRESS   | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) 
4/6 Currently in progress: CertificateCertificateRequestorResource2890C6B7
 4/6 | 00:39:25 | CREATE_IN_PROGRESS   | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Resource creation Initiated

 ✅  DnsStackProd

Since my app is importing the hosted zone, NS records were definitely present.

rrrix commented 4 years ago

I removed (commented out) the subjectAlternativeNames, redeployed, and everything deployed without errors on the first try. This obviously isn't a 'fix', since I need those SAN's, but just an interesting observation. I'll try and keep debugging. 

    const hostedZone = route53.HostedZone.fromLookup(scope, 'HostedZone', {
      domainName: 'foo.example.com',
    });
    const sslCertificate = new acm.DnsValidatedCertificate(this, 'sslCert', {
      domainName: 'foo.example.com',
      // subjectAlternativeNames: [`*.foo.example.com`, `*.ecs.foo.example.com`],
      hostedZone,
    });
strottos commented 4 years ago

I'm getting this too but intermittently. Have just ran the same stack two times, first time it failed, then reran it and it worked. Happened a couple of times yesterday too. Was doing the same thing in Python with CDK 1.31 before and never had this problem with multiple deployments, now had it 3/6 times. Now on 1.44 JS I'm getting this issue.

My current stack (with right values passed in) is essentially:

    const hostedZone = route53.HostedZone.fromHostedZoneAttributes(
      this,
      'MainHostLookup',
      {
        zoneName: hostedDomainUrl,
        hostedZoneId: hostedZoneId,
      },
    )

    new certificatemanager.DnsValidatedCertificate(
      this,
      'EnvironmentCertificate',
      {
        hostedZone: hostedZone,
        domainName: hostedDomainUrl,
        region: 'us-east-1',
        subjectAlternativeNames: [`*.${hostedDomainUrl}`],
        validationMethod: certificatemanager.ValidationMethod.DNS,
      },
    )

The Python one previously that always worked (I've rewritten in JS for various reasons):

        hosted_zone = route53.HostedZone.from_hosted_zone_attributes(
            self,
            "MainHostLookup",
            zone_name=hosted_domain_url,
            hosted_zone_id=hosted_zone_id,
        )

        self.certificate = certificatemanager.DnsValidatedCertificate(
            self,
            "EnvironmentCertificate",
            hosted_zone=hosted_zone,
            domain_name=hosted_domain_url,
            region="us-east-1",
            subject_alternative_names=[f"*.{hosted_domain_url}"],
            validation_method=certificatemanager.ValidationMethod.DNS,

Could be Python vs JS or more likely v 1.31 to 1.44 I'm guessing or it could even be CloudFormation/AWS changes since April when I was last running this.

Note it created the certificates successfully in AWS whether this stack passes or not but the CloudFormation fails when it throws this error. For now my workaround will be to delete the certificate and try again till it works. Also I noticed that it took 7 minutes for the certificate to successfully create on CDK/CloudFormation failure but only a couple of minutes after when it worked successfully.

Hope that makes sense, ping me if any questions by all means.

rrrix commented 4 years ago

I did a bit more research on this, and it turns out there's actually two Open PR's that aim to fix this:

Unfortunately both are getting a bit stale, as both PR's have pending, unfinished changes requested by the CDK Team. I think #6516 looks like the better PR, as it solves the root cause of the problem, rather than creating an arbitrary wait mechanism as #7150 does.

JPLemelin commented 4 years ago

Same as @strottos The first time it failed and the second run it pass..

CDK version: 1.45.0 (build 0cfab15)

    // Get hosted zone
    const hostedZone = route53.HostedZone.fromLookup(this, `hosted-zone-${props.envName}`, { domainName })

    // Certificate
    const certificate = new certificatemanager.DnsValidatedCertificate(this, `certificate-${domainName}`, {
        domainName: domainName,
        hostedZone: hostedZone,
        region: props.region,
        subjectAlternativeNames: [`*.${domainName}`],
      })
dmcgowandmc commented 4 years ago

Just curious, for people effected, does it eventually work or does it consistently fail?

For me, it fails consistently if I have 2 or more subjectAlternativeNames. One or none, always works

Either way, supporting native Cloud Formation DNS sounds like the best solution so hopefully it is available soon

rrrix commented 4 years ago

Here's my custom construct I'm using to use the native CloudFormation AWS::CertificateManager::Certificate with DNS Validation:

// CfnDnsValidatedCertificate.ts

import { Certificate, CertificateProps, ICertificate, ValidationMethod } from '@aws-cdk/aws-certificatemanager';
import { IHostedZone, IPublicHostedZone } from '@aws-cdk/aws-route53';
import { CfnResource, Construct, Resource } from '@aws-cdk/core';

interface CfnDnsValidatedCertificateProps extends CertificateProps {
  hostedZone: IPublicHostedZone;
}

export class CfnDnsValidatedCertificate extends Resource implements ICertificate {
  public readonly domainName: string;
  public readonly subjectAlternativeNames: string[];
  public readonly hostedZone: IHostedZone;
  public readonly resource: CfnResource;
  public readonly certificate: ICertificate;
  public readonly certificateArn: string;
  public readonly validationMethod: ValidationMethod = ValidationMethod.DNS;

  constructor(scope: Construct, id: string, props: CfnDnsValidatedCertificateProps) {
    super(scope, id);
    this.domainName = props.domainName;
    this.subjectAlternativeNames = props.subjectAlternativeNames;
    this.hostedZone = props.hostedZone;

    this.resource = new CfnResource(this, 'cfnCertificate', {
      type: 'AWS::CertificateManager::Certificate',
      properties: {
        DomainName: this.domainName,
        SubjectAlternativeNames: this.subjectAlternativeNames,
        ValidationMethod: ValidationMethod.DNS,
        DomainValidationOptions: [
          {
            DomainName: this.domainName,
            HostedZoneId: this.hostedZone.hostedZoneId,
          },
        ],
      },
    });

    this.certificateArn = this.resource.ref;
    this.certificate = Certificate.fromCertificateArn(this, 'Resource', this.certificateArn);
  }
}

Use it kinda like this:

    const hostedZone = PublicHostedZone.fromLookup(this, 'hostedZone', {
      domainName: props.envDomainName,
    });

    this.certificate = new CfnDnsValidatedCertificate(this, 'certificate', {
      domainName: domainName,
      hostedZone: hostedZone,
    });

It's faster, works 100% of the time (with any number of SAN's), cheaper (no Lambda) and has the same great taste of automated DNS Validated ACM Certificates!

mikestopcontinues commented 4 years ago

This issue should be reopened. I got the same error using DnsValidatedCertificate with v1.61.0 today. I was able to get it working by switching to using Certificate with CertificateValidation.fromDns.

cweidinger commented 4 years ago

Same problem with 1.61.1. Please reopen

heikkis commented 4 years ago

Similar problem with 1.63.0. Thank @mikestopcontinues for workaround solution.

From doc (https://docs.aws.amazon.com/cdk/api/latest/docs/aws-certificatemanager-readme.html) I noticed DnsValidatedCertificate is used only cross-account validation and all other examples are done Certificate and CertificationValidation.fromDns().

ldgarcia commented 3 years ago

I'm getting erratic behavior when using DNSValidatedCertificate. I tried to deploy once and got:

DNS Validated Certificate Error: Failed to create resource. Cannot read property 'Name' of undefined.

I retried it, and it worked. I'm creating two ACM certificates and two Cloudfront distributions. One with 3 FQDNs and the other one with just 1.

Either way, supporting native Cloud Formation DNS sounds like the best solution so hopefully it is available soon

This is supported since a while now.

However, DNSValidatedCertificate is still required to define certificates, for example, for a CloudFront distribution since Certificate which uses the native CloudFormation support does not provide a way to specify a region.

Furthermore, DNSValidatedCertificate does not support using different super/base domains (multizone validation), which is required to support a single distribution under different domain names (A.com, B.com), for example.

k3nnyP commented 3 years ago

I'm having this same issue with "aws-cdk": "1.105.0",

aaronbrighton commented 3 years ago

Just ran into this as well.

1.119.0 (build 2921d64)
peterwoodworth commented 2 years ago

Reopening because customers have still been experiencing this issue

Pinging @jogold and @njlynch for awareness

skinny85 commented 2 years ago

@njlynch you might want to take a look at this one - it somehow got assigned to me by mistake (?).

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.