AWS certificate renewal failed, problem trying to update CNAME records

Question

I received an email from AWS:

To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below

So I went to https://ap-northeast-2.console.aws.amazon.com/acm/ and grabbed the CNAME and tried to create a CNAME record in route-53

It fails with message

[RRSet of type CNAME with DNS name example.kr. is not permitted at apex in zone example.kr.]

I have a A record for example.kr which I created by following directions in https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

RRSet of type CNAME with DNS name foo.com. is not permitted at apex in zone bar.com says I'm getting the error message because I have SOA record for the domain, I have no idea why I have this record, and if I need it or not.

Can I simply delete SOA record and proceed or should I take different steps?

Hi, so what is your hosted zone in the case above? zone.bar.com or bar.com? — Chris Williams, May 30 '20 at 16:11
Hi, could you possibly try to update your DNS names in the question to match. There seems to be 3 domains, example.kr, foo.com and zone.bar.com. If they're meant to be all part of the same domain please update it so that it is visible. — Chris Williams, May 31 '20 at 07:07
it's all same domain. example.kr (bar.com is in the title of another SO question) — eugene, May 31 '20 at 07:27

score 1 · Answer 1 · answered May 31 '20 at 07:47

It seems to me that the error you're seeing is because you're setting a CNAME on your root record (referred to as Apex record). This should be an A record (or Alias record in Route 53 when possible).

For validating your certificate via CNAME you will be given both a CNAME record and a value.

The CNAME record should start with an underscore followed by a large hash such as

_a79865eb4cd1a6ab990a45779b4e0b96.yourdomain.com.

If using Route 53 you should only need to enter _a79865eb4cd1a6ab990a45779b4e0b96 as the domain name of type CNAME

You would then have a value similar to _x2.acm-validations.aws.. This would need to be your value.

score 0 · Answer 2 · answered Mar 03 '23 at 00:50

You need to go to AWS Certificate Manager and select list certificates, select the certificate in need of renewal. Under Domains click the button "Create records in Route 53". This takes you to a new page where you click "Create Records".

It typically takes DNS 30 minutes to propagate the record, and it might take several hours for Amazon to validate it and issue the certificate.

You can also check this blog post for more info.

AWS certificate renewal failed, problem trying to update CNAME records

2 Answers2