Search code examples
dnsaws-cdkamazon-route53

cdk deploy is stuck on AWS::CertificateManager::Certificate because of nameservers not maching

I am using the aws-sdk and running into problems with the certificate manager hanging indefinitely, waiting for validation that never happens.

My stack code is basically doing:

     const hostedZone = new route53.HostedZone(this, 'HostedZone', {
       zoneName: DOMAIN_NAME,
     });

     new ecs_patterns.ApplicationLoadBalancedFargateService(this, idFor('FargateService'), {
       domainName: DOMAIN_NAME,
       domainZone: hostedZone,
       protocol: ApplicationProtocol.HTTPS,
       publicLoadBalancer: true,
       redirectHTTP: true,
       ...other stuff
     });

After a lot of digging, I figured out the problem is, my registered domain in route53 has nameservers set, and when a new hosted zone is created with route53.HostedZone(), it is setting the nameservers to something different than what is currently set for the registered domain.

I have been googling, reading aws docs, and looking at the internal source code for the cdk, and I am not seeing anything that allows you to fetch the current nameservers for an existing domain... So I do not understand how I am supposed to fix this problem.

I thought a solution might be to just manually create a zone with the right name servers and then use instead of creating a hosted zone in the cdk, use route53.HostedZone.fromLookup()... I tried that but it's still hanging on AWS::CertificateManager::Certificate

When I look at the zone in the console, I see:

name:
_7ce0bf02cf465edac62f9e7d2fb94b07.<my-domain>
value:
_fef47ed357d09a27d030ca5cb578a715.vtqfhvjlcp.acm-validations.aws.

and I go to ACM, I see:

name:
_7ce0bf02cf465edac62f9e7d2fb94b07.<my-domain>.
value:
_fef47ed357d09a27d030ca5cb578a715.vtqfhvjlcp.acm-validations.aws.

I then went to the zone and did "test record" and put in _7ce0bf02cf465edac62f9e7d2fb94b07 and I get back the value.. so route53 says it's there...

If I go to my terminal and do dig <my-domain> _7ce0bf02cf465edac62f9e7d2fb94b07.<my-domain> cname and I get ANSWER: 0 ............. So AWS says it's there, but it's not really there... And everything I have read online says a cname takes about 60 seconds to look up...

Solution

  • it is setting the nameservers to something different than what is currently set for the registered domain.

    Route 53 assigns new nameservers to a hosted zone each time you create the hosted zone, and they cannot be changed.

    my registered domain in route53 has nameservers set

    But those nameserver settings on the registered domain are wrong. You have to update your registered domain to match the nameservers that Route 53 has assigned to your new hosted zone, not the other way around.