ACM Certificate validation failure from Cloudformation template

Question

I'm deploying a AWS Cloudformation stack with a Beanstalk instances, Routes53 record and an ACM Certificate.

I would like to validate the certificate immediately during the stack deployement from a DNS Validation.

When I run and deploy the stack, all resources are correctly created except the ACM Certificate which is continuously in validation waiting. I haven't any error and I don't really understand why the certificate is not validated.

My cloudformation template seems like this :

AWSTemplateFormatVersion: "2010-09-09"
Description: Project beanstalk

Parameters:
  ApplicationName:
    Description: Name of your application
    Type: String
    Default: hello
    MinLength: 1
    MaxLength: 255
    AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"

  EnvironmentName:
    Description: Environment name, either dev or rec or main
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - rec
      - main
    ConstraintDescription: Specify either dev or rec or main

Resources:
  Application:
    Type: AWS::ElasticBeanstalk::Application
    Properties:
      ApplicationName: !Ref ApplicationName

  Environment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      ApplicationName: !Ref Application
      EnvironmentName: !Sub "${ApplicationName}-${EnvironmentName}"
      TemplateName: !Ref ConfigurationTemplate # I disable this part to limit code lines
    DependsOn:
      - ConfigurationTemplate

  Route53APIRecordSet:
    Type: "AWS::Route53::RecordSet"
    Properties:
      Name: !Sub "${ApplicationName}-${EnvironmentName}.api.hello.com"
      Type: "A"
      HostedZoneId: !Ref HostedZoneIdFromMyDNS # This var is hard code in my template
      AliasTarget:
        DNSName: !GetAtt Environment.EndpointURL
        HostedZoneId: !Ref HostedZoneIdFromMyBeanstalk # ELB Zone ID for my region (it's also hardcoded)

  APIACMCertificate:
    Type: "AWS::CertificateManager::Certificate"
    Properties:
      DomainName: hello.com
      ValidationMethod: DNS
      DomainValidationOptions:
        - DomainName: !Sub "${ApplicationName}-${EnvironmentName}.api.hello.com"
          HostedZoneId: !Ref HostedZoneIdFromMyDNS

I don't understand why my ACM Certificate for my Routes53 records is not correctly validate. Do you have an idea ? My Routes53 records is correctly set because I can navigate to my beanstalk page but not under the certificate.

EDIT 08/08/2023 I run 2 nslookup commands (the commands are personnalized like the example above):

• nslookup hello.com The response is : Non-authoritative answer, Server unknown

• nslookup ${ApplicationName}-${EnvironmentName}.api.hello.com (parameters are changed of course). The server is also unknow but I haven't the non authoritative answer reponse.

Answer 1

Both DomainName: directives need to be the same value per the docs. AWS::CertificateManager::Certificate cloudfront docs

In order for a AWS::CertificateManager::Certificate to be provisioned and validated in CloudFormation automatically, the DomainName property needs to be identical to one of the DomainName property supplied in DomainValidationOptions, if the ValidationMethod is DNS.

Answer 2

When you create your ACM certificate via CloudFormation, it wants you to go to ACM and manually add CNAME records to the hosted zone (domain). After you press the button, it adds those records to your domain, and the CloudFormation stack will proceed. That's the manual approach, and for one time job, it's ok. But if you have to do that over and over again, then you are better off thinking about CloudFormation's custom resource, which will trigger the Lambda function with the required functionality. Take a look at this repo looks like there is what you are looking for