Domain is using validation method EMAIL, not DNS

[RikudouSage]

Today this error popped up on a code that has been running without a problem for many months: Received response status [FAILED] from custom resource. Message returned: domain is using validation method EMAIL, not DNS.

This is the relevant part of template:

    Certificate:
      Type: Custom::Certificate
      Properties:
        DomainName: ${self:custom.domain}
        SubjectAlternativeNames:
          Fn::If:
            - HasProductionAlias
            - - ${self:custom.ProductionDomainAlias}
            - !Ref AWS::NoValue
        ValidationMethod: DNS
        Region: us-east-1
        ServiceToken: ${self:custom.serviceToken}
    CertificateBlocker:
      Type: Custom::IssuedCertificate
      DependsOn:
        - DnsRecordsCertificateValidation
      Properties:
        CertificateArn: !Ref Certificate
        ServiceToken: ${self:custom.serviceToken}
    CertificateDnsRecord:
      Type: Custom::CertificateDNSRecord
      Properties:
        CertificateArn: !Ref Certificate
        DomainName: ${self:custom.domain}
        ServiceToken: ${self:custom.serviceToken}
    DnsRecordsCertificateValidation:
      Type: AWS::Route53::RecordSetGroup
      Properties:
        HostedZoneId: ${self:custom.hostedZone}
        RecordSets:
          - Name: !GetAtt CertificateDnsRecord.Name
            Type: !GetAtt CertificateDnsRecord.Type
            TTL: 60
            Weight: 1
            SetIdentifier: !Ref Certificate
            ResourceRecords:
              - !GetAtt CertificateDnsRecord.Value

[leonardonunespuc]

I'm also having the same issue. I've being using it for the last 3 years without any problem. This started happening for me yesterday (2023-06-29)

[RikudouSage]

@leonardonunespuc Depending on your use-case, my replacement might work for you: https://github.com/RikudouSage/AwsAcmCloudFormationCustomResources

Though I only reimplemented the parts that are useful to my workflow, so it might not be an exact fit for you. Also note that changing service token is impossible, your service would have to be redeployed.

[leonardonunespuc]

@RikudouSage thanks for sending your repo, I'll have a look and see if it will fit my case.
Have you identified the reason it stopped working?

In my case I don't need to create certificates in regions different than my resource, so I will also look at using the AWS::CertificateManager::Certificate (https://aws.amazon.com/blogs/security/how-to-use-aws-certificate-manager-with-aws-cloudformation/).

[RikudouSage]

@leonardonunespuc I haven't, sadly, I've looked through the code, but Python is really unreadable for me. If you don't need cross-region support, the official way works well.

[leonardonunespuc]

@RikudouSage just letting you know I found a workaround that worked for me.
I had to make a small change on the lambda code.

I was debugging the code and noticed that right after creating the certificate if you call acm.describe_certificate it will return with ValidationMethod: EMAIL but in AWS it was created correctly as DNS. If I would wait just a bit it and call acm.describe_certificate again, then it returned the correct value.

So for the workaround I added a time.sleep(10) before calling acm.describe_certificate in the certificate property in the certificate_dns_record_provider.py file, and that fixed for me.

@property
def certificate(self):
    result = None
    region = self.certificate_arn.split(":")[3]
    time.sleep(10)
    acm = boto3.client("acm", region_name=region)
    try:
        response = acm.describe_certificate(CertificateArn=self.certificate_arn)
        result = Certificate(response["Certificate"])
        if result.status not in ["PENDING_VALIDATION", "ISSUED"]:
            raise PreConditionFailed(
                "certificate {} is state {}, expected pending validation or issued".format(
                    result.status
                )
            )
    except ClientError as e:
        raise PreConditionFailed("{}".format(e))
    return result

[RikudouSage]

@leonardonunespuc Nice! Though I've already switched to my version as I decided it would be easier to maintain myself given that this project seems not maintained anymore and it's critical part of our workflow.

[mvanholsteijn]

Well, the project is still maintain but there was not much maintenance required in the last 3 years 😃 This bug clearly originates from the aws api. I will provide a workaround. Cheers, Mark

[dmarinuswoodwing]

I've done some testing and I think I know what's going on.

Right after the certificate has been requested a DescribeCertificate call is made, this returns for the first ~3 seconds ValidationMethod EMAIL and then properly gives ValidationMethod DNS.

This doesn't seem right, I'm going to create a support ticket at AWS.

[dmarinuswoodwing]

AWS Acknowledged this issue and they are working on rolling out a fix.

No ETA's of course 😞

[dmarinuswoodwing]

AWS seems to have rolled out the fix. Now the DomainValidationOptions field is completely missing for the first 3 seconds. I guess #42 will work in that situation as well although it might be better now to poll until the field shows up.