Search code examples
amazon-web-servicesboto3aws-certificate-manageraws-organizations

Unable to attach ACM Public certificate with ALB Listener using Lambda across account

I am creating ACM public certificate in AWS organization account using lambda function from master account,

code to create ACM Cert and attach with listener is:

resp_acm = client_acm.request_certificate(
    DomainName='test.example.com',
    ValidationMethod= 'DNS',
)
acm_arn = resp_acm['CertificateArn']

print(acm_arn)

resp_listener = client_elbv.create_listener(
    Certificates=[
        {
            'CertificateArn': acm_arn,
        },
    ],
    DefaultActions=[
        {
            'Type': 'forward',
            'TargetGroupArn': Target_group_arn,
        },
    ],
    LoadBalancerArn=alb_arn,
    Port=443,
    Protocol='HTTPS',
    SslPolicy='ELBSecurityPolicy-2016-08',
)

But I am getting this error:

"errorMessage": "An error occurred (UnsupportedCertificate) when calling the CreateListener operation: The certificate 
'arn:aws:acm:eu-west-2:xxxxxxxxx:certificate/675071212-cdd1-4gg5-9d49-6a89a47eee88' must have a fully-qualified domain name, 
a supported signature, and a supported key size.",

anyone please help. Main domain is in master account and creating certificate for subdomain aws organization cross account.

Solution

  • I have fixed this issue, after getting ACM cert, you have to validate after some wait time. you can use following code snippet:

    acm_arn = resp_acm['CertificateArn']


print(acm_arn)
time.sleep(10)
#describe acm certificate
acm_describe = client_acm.describe_certificate(
CertificateArn=acm_arn
)

name = acm_describe['Certificate']['DomainValidationOptions'][0]['ResourceRecord']['Name']

value = acm_describe['Certificate']['DomainValidationOptions'][0]['ResourceRecord']['Value']

#validating acm certificate using DNS

acm_validation = client_route53.change_resource_record_sets(
    HostedZoneId=HostedZoneID,
    ChangeBatch={
        'Comment': 'DNS Validation',
        'Changes': [
            {
                'Action': 'CREATE',
                'ResourceRecordSet': {
                    'Name': name,
                    'Type': 'CNAME',
                    'TTL': 1800,
                    'ResourceRecords': [
                        {
                            'Value': value
                        },
                    ],
                }
            },
        ]
    }
)

#waiting for acm to get validated using dns
waiter = client_acm.get_waiter('certificate_validated')
waiter.wait(
    CertificateArn=acm_arn,
    WaiterConfig={
        'Delay': 15,
        'MaxAttempts': 80
    }
)
time.sleep(10)

    hopefully this will solve your prob also.