I’m trying – and succeeding, actually – to create a Route53 domain-validated ACM certificate attached to an HTTPS listener of an Application Load Balancer:
resource "aws_acm_certificate" "ecs_cert" {
domain_name = "${var.component}.${data.aws_route53_zone.root.name}"
subject_alternative_names = [
"${var.component}.${data.aws_route53_zone.root.name}"
]
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "ecs_cert_validation" {
certificate_arn = aws_acm_certificate.ecs_cert.arn
validation_record_fqdns = [for record in aws_route53_record.ecs_cert_validation_records : record.fqdn]
}
resource "aws_route53_record" "ecs_cert_validation_records" {
zone_id = data.aws_route53_zone.root.zone_id
allow_overwrite = true
ttl = "60"
for_each = {
for dvo in aws_acm_certificate.ecs_cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
type = dvo.resource_record_type
record = dvo.resource_record_value
}
}
name = each.value.name
type = each.value.type
records = [ each.value.record ]
}
This works great for an APPLY/DESTROY cycle. But if I refresh an existing setup via re-APPLY, Terraform marks the listener’s cert, the accompanying validation, and the validation DNS records as needing forced replacement, but the certificate process eventually fails:
aws_acm_certificate_validation.ecs_cert_validation: Destroying… [id=2022-08-30 04:21:21.028 +0000 UTC]
aws_acm_certificate_validation.ecs_cert_validation: Destruction complete after 0s
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Destroying… [id=ZE85JJFU1M837__2661adc7d19531019d01facbc614f108.host.domain._CNAME]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still destroying… [id=ZE85JJFU1M837__2661adc7d19531019d01facb…4b-host.domain._CNAME, 10s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still destroying… [id=ZE85JJFU1M837__2661adc7d19531019d01facb…4b-host.domain._CNAME, 20s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still destroying… [id=ZE85JJFU1M837__2661adc7d19531019d01facb…4b-host.domain._CNAME, 30s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still destroying… [id=ZE85JJFU1M837__2661adc7d19531019d01facb…4b-host.domain._CNAME, 40s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Destruction complete after 43s
aws_acm_certificate.ecs_cert: Creating…
aws_acm_certificate.ecs_cert: Creation complete after 5s [id=arn:aws:acm:us-east-1:account:certificate/8f5259e7-f1d4-47d3-b114-bb9fe341fcf0]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Creating…
aws_lb_listener.listener_443: Modifying… [id=arn:aws:elasticloadbalancing:us-east-1:account:listener/app/service/51f1961f20605d59/3395894187b246f6]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still creating… [10s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still creating… [20s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still creating… [30s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Still creating… [40s elapsed]
aws_route53_record.ecs_cert_validation_records[“host.domain”]: Creation complete after 45s [id=ZE85JJFU1M837__2661adc7d19531019d01facbc614f108.host.domain._CNAME]
aws_acm_certificate_validation.ecs_cert_validation: Creating…
aws_acm_certificate_validation.ecs_cert_validation: Creation complete after 0s [id=2022-08-30 05:18:43.429 +0000 UTC]
╷
│ Error: error modifying ELBv2 Listener (arn:aws:elasticloadbalancing:us-east-1:account:listener/app/service/51f1961f20605d59/3395894187b246f6): UnsupportedCertificate: The certificate ‘arn:aws:acm:us-east-1:account:certificate/8f5259e7-f1d4-47d3-b114-bb9fe341fcf0’ must have a fully-qualified domain name, a supported signature, and a supported key size.
│ status code: 400, request id: f45e0779-51a2-4e0f-ac12-b6ee04609810
│
│ with aws_lb_listener.listener_443,
│ on cluster.tf line 397, in resource “aws_lb_listener” “listener_443”:
│ 397: resource “aws_lb_listener” “listener_443” {
│
╵
I saw somewhere that this signature/keySize error is perhaps misleading and actually is indicative of the certificate not completing the DNS domain validation in time? Even though it says it finished?? Can anyone shed some light on what am I doing wrong and how the script can be fixed to work across a re-APPLY?
Using:
Terraform v1.2.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.75.2
+ provider registry.terraform.io/hashicorp/template v2.2.0