Lightsail Certificates: Certificate validation always fails with external DNS managed by Cloudflare
0
Creating a certificate in AWS Lightsail, creating all the DNS validation records in Cloudflare and double checking every record via dig / nslookup always leads to failure:
Querying certificates returns confusing information:
aws lightsail get-certificates --include-certificate-details
{
"domainName": "test1.example.com",
"resourceRecord": {
"name": "_f0b4ecc67af2fbdffff2cc67af2fb.test1.example.com.",
"type": "CNAME",
"value": "_1cace108509243555135551fd5092435q.acm-validations.aws."
},
"dnsRecordCreationState": {
"code": "FAILED",
"message": "Auto validation failed because no matching DNS zone found in lightsail."
},
"validationStatus": "FAILED"
},
NOTE: Actual domain data (names, records) in screenshots and command output were redacted / changed.
- Language
- English
asked 2 years ago312 views
1 Answer
- Newest
- Most votes
- Most comments
3
It turns out the issue was with the CAA records Cloudflare adds automatically which prevents other Certification Authorities to issue new certificates for those domains.
See the following resources for detailed answers and solutions:
- https://coady.tech/amplify-cloudflare-caa-error/
- https://stackoverflow.com/questions/67680602/issues-while-enabling-ssl-on-aws-lightsail-load-balancer-and-custom-dns-cloudfla
- https://community.cloudflare.com/t/aws-caa-failing/288617/3
- https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html
answered 2 years ago
Relevant content
asked 7 months ago
