"Certificate not yet issued" response from boto.get_certificate

Question

I requested a publicly signed SSL certificate from Amazon Certificate Manager "ACM" services yesterday. The certificate should be requested/pulled by boto library methods for eventual use on our webservers. Here is the code being used:

import logging

import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger(__name__)
boto = boto3.client('acm')

domain = 'ourdomain.com'
sub_domains = None  # We are using DNS validation with `*.ourdomain.com`

def request_validation(domain, alternate_domains,method):
  try:
      kwargs = {
          'DomainName': domain }
      response = boto.request_certificate(**kwargs)
      certificate_arn = response['CertificateArn']
      logger.info(
          "Requested %s validation for domain %s. Certificate ARN is %s.",
          method, domain, certificate_arn)
  except ClientError:
      logger.exception(
          "Request for %s validation of domain %s failed.", method, domain)
      raise
  else:
      return certificate_arn


certificate_arn = request_validation(domain, sub_domains, 'DNS')
print(f"Started validation, got certificate ARN: {certificate_arn}.")

response = None
try:
    response = boto.get_certificate(CertificateArn=certificate_arn)
    logger.info("Got certificate %s and its chain.", certificate_arn)
except ClientError:
    logger.exception("Couldn't get certificate %s.", certificate_arn)
    raise

print(response)

When running the above (after substituting our actual domain into the "ourdomain") the following error occurs:

botocore.errorfactory.RequestInProgressException: An error occurred (RequestInProgressException) when calling the GetCertificate operation: Certificate arn:aws:acm:us-east-2:234323424:certificate/xxxxx in account 22342424 not yet issued

Here is the full response:

Started validation, got certificate ARN: arn:aws:acm:us-east-2:1234234:certificate/4a2xxxx-4xxx-xxx-xxx-xxxx.
Couldn't get certificate arn:aws:acm:us-east-2:1234343:certificate/4axxxxx4-4082-xxx-xxx-xxxxx.
Traceback (most recent call last):
  File "/Users/steve/git/ciderd/keys_server/experiments/aws-certs.py", line 45, in <module>
    response = boto.get_certificate(CertificateArn=certificate_arn)
  File "/Users/steve/miniconda3/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/steve/miniconda3/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.RequestInProgressException: An error occurred (RequestInProgressException) when calling the GetCertificate operation: Certificate arn:aws:acm:us-east-2:12343234:certificate/xxxxxxafff87aa3 in account 123423423 not yet issued
Traceback (most recent call last):
  File "/Users/steve/git/ciderd/keys_server/experiments/aws-certs.py", line 45, in <module>
    response = boto.get_certificate(CertificateArn=certificate_arn)
  File "/Users/steve/miniconda3/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/steve/miniconda3/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.RequestInProgressException: An error occurred (RequestInProgressException) when calling the GetCertificate operation: Certificate arn:aws:acm:us-east-2:234323424:certificate/xxxxx  in account 22342424 not yet issued

There are a couple of possibilities :

• Everything is fine but just need to wait - just like the error says
• The python code is incorrect so that "wait" would be forever
• There is something wrong with the certificate itself - so the wait might be forever

Is there any way to determine which of those possibilities is the actual case here?

• Is that python/boto code looking correct?
• Is it correct to send in mydomain.com for an ACM requested certificate of form *.mydomain.com ?

Thanks.

Answer 1

Here's a sketch for how to request the cert, and have ACM validate it via DNS (updating DNS an exercise for the reader)

import time
import boto3

acm = boto3.client("acm")


domain_name: str = "example.com"

request_certificate_response = acm.request_certificate(
    DomainName=domain_name,
    ValidationMethod="DNS",
)

certificate_arn = request_certificate_response["CertificateArn"]

# sleep to give ACM a chance to set DNS validation records
# https://github.com/aws/aws-sdk-js/issues/2133
time.sleep(10)

describe_certificate_response = acm.describe_certificate(
    CertificateArn=certificate_arn,
)

certificate = describe_certificate_response["Certificate"]
domain_validation_options = certificate["DomainValidationOptions"][
    0
]  # should only be one!

# These are the values to shove in Route53
# domain_validation_options["ResourceRecord"]["Name"]
# domain_validation_options["ResourceRecord"]["Value"]

Incidentally, it sounds like you want to be able to export the private key to import it into a server - that can't be done. Your best bet would be to look into AWS Certificate Manager for Nitro Enclaves