"Could not pre-validate DNS TXT record"

[marclar]

Hi - first of all, thanks for this project. It's about a million times easier than the others I've (unsuccessfully) tried today. I'm having a small problem, though...

Given the domain one.two.three.com, when I run npm run local-cert, I see a TXT record added to Route53 (e.g. _acme-challenge.one.two.three.com), but the script fails with

Error: Could not pre-validate DNS TXT record.

I have a couple suspicions:

1. three.com is registered elsewhere - it exists in Route53 as a "hosted zone", and there are only a few records in there (though the nameservers are set up correctly at my registrar).
2. this is a recent change (a couple hours ago), so maybe things aren't resolving yet. I don't think this is the case, though, as I can access one.two.three.com
3. one.two.three.com is a CNAME in Route53 that points to a CloudFront distribution, which points to an S3 bucket (though I doubt that matters).

Here are the records in Route53:

Any idea why this isn't working?

[marclar]

Okay - it seemed to work after little while and a few attempts; I'm thinking maybe the retry delay and # of attempts should be configurable?

Both of my buckets have files in them now, though I still get an SSL error:

The certificate is only valid for the following names: *.cloudfront.net, cloudfront.net

I'm thinking the problem might be that I set up the CloudFront distribution first, before trying to set up the certificates. So instead of

HTTPS request -> Route53 -> S3 content

it's been doing

HTTPS request -> CloudFront (with standard CloudFront cert) -> Route53 -> S3 content

I've removed CloudFront from the equation, but 18 hours later it's still not resolving correctly.

Any suggestions? Gonna make a new subdomain and see how it goes...

[larryboymi]

Hi @marclar ! Sorry I've been moving and out of town for a bit and haven't been able to help yet. Are you still experiencing the issue?

[marclar]

Hey - thanks for the reply; hope the move went well :)

I do still have the issue. It seems like everything worked but the browser hangs when trying to access my domain over HTTPS. I'm not sure what to look for in the AWS console to determine the missing piece.

I'll likely be working on it again over the weekend; will update with any specifics I can find.

[larryboymi]

have you tried verifying with openssl ? something like openssl s_client -showcerts -connect your.domain.com:443

[GabLeRoux]

@marclar By reading the issue, your problem may not be with certs but with your actual cloudfront setup.

In addition to above openssl command, I personally use this trick to debug cloudfront:

curl -v -I -H 'Host: $DOMAIN' https://$CLOUDFRONT_DISTRIBUTION_ID.cloudfront.net

You may find more details about something wrong with redirection as even if your current domain doesn't point to cloudfront yet, the above curl command will hit the right place if well configured.

[larryboymi]

@GabLeRoux agreed... both tools' output can be hard to read at times. It did seem more like it was the usage of the certs more than them being available, but hard to tell on limited info.