4

When I try to setup a domain through serverless-domain-manager with sls create_domain, it fails with:

BadRequestException: The domain name you provided is already associated with an existing CloudFront distribution. Remove the domain name from the existing CloudFront distribution or use a different domain name. If you own this domain name and are not using it on an existing CloudFront distribution, please contact support. api.example.com was not created.

I tracked down the line where the library fails.

Note that my account does not have anything in CloudFront. This is what I see when I open it:

enter image description here

It's also interesting that in Certificate Manager, it says that the certificate is in use: enter image description here

Under Associated Resources I can see an entry for cloudfront: arn:aws:cloudfront:: ...

Daniel Birowsky Popeski
  • 8,752
  • 12
  • 60
  • 125

4 Answers4

16

Thanx to Matt's guidance I found what caused the phantom CloudFront distros. Within the AWS console, go to:

Amazon API Gateway > Custom Domain Names

Delete all the conflicting domains there and redo the deployment steps again.

Daniel Birowsky Popeski
  • 8,752
  • 12
  • 60
  • 125
4

When you create an API Gateway, it will create an underlying CloudFront distribution on your behalf. You may not see it in your AWS account, but it's there.

Also, domains used for CloudFront distributions must be globally unique. Which means that if someone else already has a CloudFront distribution for api.example.com, then you cannot use it as well.

So, you already said that you do not have an existing CloudFront distribution visible in your AWS account.

If you already have an API Gateway for api.example.com, then you cannot create a second one. If this is the case, you need to use a different domain, or delete the original one.

If you don't have an API Gateway for that domain, then someone else probably already has one. If this is the case, then you'll need to use a different domain.

Matt Houser
  • 33,983
  • 6
  • 70
  • 88
  • The CloudFront distro doesn't show up even in the aws cli. I don't see a way that anybody else would have CloudFront distribution for the domain. I don't have any api gateway. I don't see how any would have an api gateway for that domain. The domain is registered in Route53. I'm the first owner. – Daniel Birowsky Popeski Oct 04 '17 at 19:11
  • If the CloudFront distro was created by API Gateway, you will never see it via UI or by CLI. If AWS says it already exists, then it already exists somewhere. Route 53 means nothing in this issue. You should contact AWS support to determine where it exists and how to resolve it. – Matt Houser Oct 04 '17 at 19:26
  • "If the CloudFront distro was created by API Gateway, you will never see it via UI or by CLI." Could you provide some reference about this? I want to understand why is that the case. Otherwise, I have already [reached out to them](https://forums.aws.amazon.com/thread.jspa?threadID=264740) – Daniel Birowsky Popeski Oct 04 '17 at 19:27
  • 1
    From https://forums.aws.amazon.com/thread.jspa?threadID=195290 , "API Gateway integrates with CloudFront behind the scenes. We automatically create a global CloudFront distribution for your APIs in order to reduce the latency perceived by end users." – Matt Houser Oct 04 '17 at 19:38
  • Could be related: https://serverfault.com/questions/851446/aws-api-gateway-custom-domain-the-domain-you-provided-is-already-associated-wit – Matt Houser Oct 04 '17 at 19:43
  • Also related: https://stackoverflow.com/questions/46567910/aws-cloudfront-distribution-does-not-show-api-gateway-distribution – Matt Houser Oct 04 '17 at 19:45
  • @Birowsky you may need to provide the actual domain name you're trying to create in your AWS forum post. Otherwise, you'll probably get a similar "generic" answer as I have provided. What you want to know is the actual reason your domain is being used, so you may need to mention the actual domain. – Matt Houser Oct 04 '17 at 20:27
3

Here's how I've encountered and solved this problem:

  1. Created a serverless app and ran sls create_domain
  2. Too late did I notice that my region was the wrong one in serverless.yml
  3. Manually deleted the CloudFormation stack from AWS, plus the Route53 records.
  4. Changed the region, tried to create_domain again, got the error - although I've deleted everything
  5. Ran sls delete_domain - this threw an error as well, but apparently cleaned up some "hidden" AWS stuff
  6. Ran sls create_domain again. Voila, worked.
Georgian
  • 8,795
  • 8
  • 46
  • 87
0

The "phantom" cloudfront distro isn't visible because it's in an account owned by AWS itself and used for deploying distros used by Edge-optimized instances of API gateway.

As @Daniel mentioned in his answer above, delete any custom domain names associated with the certificate in the console, but if they aren't visible (if they were already deleted, for example), try deleting them using the AWS CLI, since it appears to do a better job of fully cleaning up the links to those AWS Cloudfront distros:

aws apigateway delete-domain-name --region "<INSERT REGION>" --domain-name "<INSERT DOMAIN NAME>"

As @CGreg encountered with the sls_delete_domain command, you may encounter errors. I was trying to delete an old certificate in ACM that was associated with one of these distros via a custom domain name which I'd already deleted. I ran the above command twice per custom domain name (in any region I thought I might have originally deployed to). The first time I got a "domain name not found" error and the second time I got an "operation timed out: max retries" error, but the association to the Cloudfront distribution was removed and I was able to delete the old cert

Not sure if just once would do it, but since I got different error responses something different must have been happening under the hood, so no harm trying it!

codeBRAVO
  • 51
  • 3