I'm deploying a AWS Cloudformation stack with a Beanstalk instances, Routes53 record and an ACM Certificate.
I would like to validate the certificate immediately during the stack deployement from a DNS Validation.
When I run and deploy the stack, all resources are correctly created except the ACM Certificate which is continuously in validation waiting. I haven't any error and I don't really understand why the certificate is not validated.
My cloudformation template seems like this :
AWSTemplateFormatVersion: "2010-09-09"
Description: Project beanstalk
Parameters:
ApplicationName:
Description: Name of your application
Type: String
Default: hello
MinLength: 1
MaxLength: 255
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
EnvironmentName:
Description: Environment name, either dev or rec or main
Type: String
Default: dev
AllowedValues:
- dev
- rec
- main
ConstraintDescription: Specify either dev or rec or main
Resources:
Application:
Type: AWS::ElasticBeanstalk::Application
Properties:
ApplicationName: !Ref ApplicationName
Environment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName: !Ref Application
EnvironmentName: !Sub "${ApplicationName}-${EnvironmentName}"
TemplateName: !Ref ConfigurationTemplate # I disable this part to limit code lines
DependsOn:
- ConfigurationTemplate
Route53APIRecordSet:
Type: "AWS::Route53::RecordSet"
Properties:
Name: !Sub "${ApplicationName}-${EnvironmentName}.api.hello.com"
Type: "A"
HostedZoneId: !Ref HostedZoneIdFromMyDNS # This var is hard code in my template
AliasTarget:
DNSName: !GetAtt Environment.EndpointURL
HostedZoneId: !Ref HostedZoneIdFromMyBeanstalk # ELB Zone ID for my region (it's also hardcoded)
APIACMCertificate:
Type: "AWS::CertificateManager::Certificate"
Properties:
DomainName: hello.com
ValidationMethod: DNS
DomainValidationOptions:
- DomainName: !Sub "${ApplicationName}-${EnvironmentName}.api.hello.com"
HostedZoneId: !Ref HostedZoneIdFromMyDNS
I don't understand why my ACM Certificate for my Routes53 records is not correctly validate. Do you have an idea ? My Routes53 records is correctly set because I can navigate to my beanstalk page but not under the certificate.
EDIT 08/08/2023
I run 2 nslookup commands (the commands are personnalized like the example above):
nslookup hello.comThe response is : Non-authoritative answer, Server unknownnslookup ${ApplicationName}-${EnvironmentName}.api.hello.com(parameters are changed of course). The server is also unknow but I haven't the non authoritative answer reponse.
When you create your ACM certificate via CloudFormation, it wants you to go to ACM and manually add CNAME records to the hosted zone (domain). After you press the button, it adds those records to your domain, and the CloudFormation stack will proceed. That's the manual approach, and for one time job, it's ok. But if you have to do that over and over again, then you are better off thinking about CloudFormation's custom resource, which will trigger the Lambda function with the required functionality. Take a look at this repo looks like there is what you are looking for