Bootstrap FreeKB - Amazon Web Services (AWS) - Resolve certificate pending validation or failed
Amazon Web Services (AWS) - Resolve certificate pending validation or failed
Updated:   |  Amazon Web Services (AWS) articles

The aws acm describe-certificate command can be used to display information about a certificate. Let's say the certificate is pending validation or failed.

~]$ aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/1e7f6855-b89c-482b-87f5-833d0b7f088b
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1e7f6855-b89c-482b-87f5-833d0b7f088b",
        "DomainName": "example.com",
        "SubjectAlternativeNames": [
            "example.com"
        ],
        "DomainValidationOptions": [
            {
                "DomainName": "example.com",
                "ValidationDomain": "example.com",
                "ValidationStatus": "PENDING_VALIDATION",
                "ResourceRecord": {
                    "Name": "_4be4327c41bfcc90100cf0b869d1b061.example.com.",
                    "Type": "CNAME",
                    "Value": "_97db65065d0d956b05e17cfdd8dc42a0.fcgjwsnkyp.acm-validations.aws."
                },
                "ValidationMethod": "DNS"
            }
        ],
        "Subject": "CN=example.com",
        "Issuer": "Amazon",
        "CreatedAt": "2023-05-15T20:55:11.903000-05:00",
        "Status": "PENDING_VALIDATION",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "Type": "AMAZON_ISSUED",
        "KeyUsages": [],
        "ExtendedKeyUsages": [],
        "RenewalEligibility": "INELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        }
    }
}

 

When creating a certificate using the aws acm request-certificate command, the validation method can be:

  • DNS (preferred)
  • email
~]$ aws acm request-certificate --domain-name freekb.link --validation-method DNS
{
    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1e7f6855-b89c-482b-87f5-833d0b7f088b"
}

 

When using DNS validation, the status of your domain must be "ok". For example, if the status of your domain is something other than ok, such as ClientHold, this will cause the certification status to be pending validation or failed.

~]# aws route53domains get-domain-detail --domain-name example.com

    "StatusList": [
        "clientHold"
    ]
}

 

When using DNS validation, you must append the certificate CNAME records to your DNS. This can be done by creating a JSON file that will be used to create the CNAME record in Route 53.

{
    "Comment": "create CNAME record",
    "Changes": [
        {
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "_4be4327c41bfcc90100cf0b869d1b061.example.com.",
                "Type": "CNAME",
                "TTL": 300,
                "ResourceRecords": [
                    {
                        "Value": "_97db65065d0d956b05e17cfdd8dc42a0.fcgjwsnkyp.acm-validations.aws."
                    }
                ]
            }
        }
    ]
}

 

And then use the aws route53 change-resource-record-sets command to add the DNS record to Route 53.

aws route53 change-resource-record-sets --hosted-zone-id Z05686652SMOE9CSNT942 --change-batch file:///path/to/example.json

 

And then the aws route53 list-resource-record-sets command can be used to list the DNS records in the Hosted Zone.

{
    "Name": "_4be4327c41bfcc90100cf0b869d1b061.example.com.",
    "Type": "CNAME",
    "TTL": 300,
    "ResourceRecords": [
        {
            "Value": "_97db65065d0d956b05e17cfdd8dc42a0.fcgjwsnkyp.acm-validations.aws."
        }
    ]
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter a58264 in the box below so that we can be sure you are a human.