Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(@aws-cdk/aws-certificatemanager): certificate SAN's not filtered for validated #15574

Closed
chris-bannister-privitar opened this issue Jul 15, 2021 · 2 comments
Closed

(@aws-cdk/aws-certificatemanager): certificate SAN's not filtered for validated #15574

chris-bannister-privitar opened this issue Jul 15, 2021 · 2 comments
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2

Comments

@chris-bannister-privitar
Copy link

aws-cdk/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts

Line 281 in 62e2f19

function getUniqueDnsDomainNames(domainNames: string[]) {
does not correctly filter wildcard domains for unresolved token domains, consider the following certificate request

        final Certificate certificate = Builder.create(scope, "public-domain-cert")
                .domainName("acme.com")
                .subjectAlternativeNames(Arrays.asList("*.acme.com", "*.test.acme.com"))
                .validation(CertificateValidation.fromDns(zone))
                .build();

When the domain name is known then this generates the correct certificate request with *.acme.com filtered out of the certificate props.

When the domain name contains a part which is not fully resolved via HostedZone.fromHostedZoneAttributes then the SAN's will not be filtered correctly leading to CloudFormation to apply invalid RecordSet which causes deploy to fail.

        final Certificate certificate = Builder.create(scope, "public-domain-cert")
                .domainName(zone.getZoneName())
                .subjectAlternativeNames(Arrays.asList("*." + zone.getZoneName(), "*.test." + zone.getZoneName()))
                .validation(CertificateValidation.fromDns(zone))
                .build();

This can be fixed by manually filtering the validation props via

        final Certificate certificate = Builder.create(scope, "public-domain-cert")
                .domainName(zone.getZoneName())
                .subjectAlternativeNames(Arrays.asList("*." + zone.getZoneName(), "*.test." + zone.getZoneName()))
                .validation(CertificateValidation.fromDns(zone))
                .build();

        final CfnCertificate cfnCertificate = (CfnCertificate) certificate.getNode().getDefaultChild();
        List<Object> props = new ArrayList<>();
        props.add(DomainValidationOptionProperty.builder().domainName(cfnCertificate.getDomainName()).hostedZoneId(zone.getHostedZoneId()).build());
        for (String san : cfnCertificate.getSubjectAlternativeNames()) {
            if (!san.startsWith("*." + cfnCertificate.getDomainName())) {
                props.add(DomainValidationOptionProperty.builder().domainName(san).hostedZoneId(zone.getHostedZoneId()).build());
            }
        }
        cfnCertificate.setDomainValidationOptions(props);

Reproduction Steps

Create a certificate for a domain in a zone which is imported into the stack with wildcard SAN validation.

            IHostedZone hostedZone = HostedZone.fromHostedZoneAttributes(this, "hosted-zone", HostedZoneAttributes.builder().zoneName(zoneName).hostedZoneId(zoneId).build());

        final Certificate certificate = Builder.create(scope, "public-domain-cert")
                .domainName(zone.getZoneName())
                .subjectAlternativeNames(Arrays.asList("*." + zone.getZoneName(), "*.test." + zone.getZoneName()))
                .validation(CertificateValidation.fromDns(zone))
                .build();

What did you expect to happen?

CDK deploy works

What actually happened?

deploy fails

15/25 |17:19:39 | CREATE_FAILED | AWS::CertificateManager::Certificate | XXXX (YYYYY) [The request contains an invalid set of changes for a resource record set 'CNAME .'] (Service: AmazonRoute53; Status Code: 400; Error Code: InvalidChangeBatch; Request ID: XXXXX; Proxy: null)

Environment

  • CDK CLI Version: 1.109.0 (build c647e38)
  • Framework Version: 1.109.0 (build c647e38)
  • Node.js Version: 14.16.1
  • **OS : ** MacOS 11.4
  • Language (Version): all

Other

related to #9248

This is 🐛 Bug Report
@chris-bannister-privitar chris-bannister-privitar added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 15, 2021
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Jul 15, 2021
Closed
@madeline-k
Copy link
Contributor

@chris-bannister-privitar, thank you for opening this issue and providing a workaround. Since there is a workaround, I am triaging this as a p2 which means that the CDK team will not be able to prioritize fixing this right now.

We always welcome contributions! If you want to try fixing this yourself, please take a look at the contributing guide.

@madeline-k madeline-k added effort/medium Medium work item – several days of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jul 16, 2021
@njlynch njlynch removed their assignment Jul 23, 2021
@github-actions
Copy link

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jul 23, 2022
@alexbaileyuk alexbaileyuk mentioned this issue Sep 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@njlynch @chris-bannister-privitar @madeline-k