如何 Terraform 创建和验证 AWS 证书

【问题标题】:How to Terraform Create and Validate AWS Certificate如何 Terraform 创建和验证 AWS 证书
【发布时间】:2021-10-26 15:20:06
【问题描述】:

我正在尝试按照 Terraform 文档中的示例使用 Terraform 创建和验证 AWS 证书:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53

我的 Terraform 文件如下所示:

resource "aws_acm_certificate" "vpn_server" {
  domain_name = "stuff.mine.com"
  
  validation_method = "DNS"

  tags = {
    Name = "certificate"
    Scope = "vpn_server"
    Environment = "vpn"
  }
}

resource "aws_acm_certificate_validation" "vpn_server" {
  certificate_arn = aws_acm_certificate.vpn_server.arn

  validation_record_fqdns = [for record in aws_route53_record.my_dns_record_vpn_server : record.fqdn]

  timeouts {
    create = "2m"
  }
}

resource "aws_route53_zone" "my_dns" {
  name = "stuff.mine.com"

  tags = {
    name = "dns_zone"
  }
}


resource "aws_route53_record" "my_dns_record_vpn_server" {
  for_each = {
    for dvo in aws_acm_certificate.vpn_server.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = resource.aws_route53_zone.my_dns.zone_id
}

问题是,当运行terraform apply 时,验证总是会超时并失败并显示错误消息:

aws_acm_certificate.vpn_server: Creating...
aws_acm_certificate.vpn_server: Creation complete after 8s [id=arn:aws:acm:eu-west-2:320289993971:certificate/7e859491-141f-49d5-b50e-c44cf4e1db4e]
aws_route53_zone.my_dns: Creating...
aws_route53_zone.my_dns: Still creating... [10s elapsed]
aws_route53_zone.my_dns: Creation complete after 52s [id=Z09112516IIP4OEAIIQ7]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creating...
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [10s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [20s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [30s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [40s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [50s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creation complete after 58s [id=Z09112516IIP4OEAIIQ7__ebd2853fcbfc7cc8bd6582e65d940d54.stuff.mine.com._CNAME]
aws_acm_certificate_validation.vpn_server: Creating...
aws_acm_certificate_validation.vpn_server: Still creating... [10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m0s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [2m0s elapsed]

╷
│ Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
│
│   with aws_acm_certificate_validation.vpn_server,
│   on main.tf line 61, in resource "aws_acm_certificate_validation" "vpn_server":
│   61: resource "aws_acm_certificate_validation" "vpn_server" {
│
╵

谁能告诉我完成证书验证需要什么?

【问题讨论】:

  • 正如下面的答案中提到的,您不能在没有在某处购买域名并已委托给 Route53 的情况下创建一个 Route53 区域。您正在一个实际上尚未“连接到 Internet”的 DNS 区域中创建记录,因此验证永远不会起作用。此外,根据我的经验,即使您设置正确,验证也可能需要 30 分钟,因此设置 2 分钟的超时限制几乎肯定会失败。

标签: amazon-web-services terraform terraform-provider-aws


【解决方案1】:

域验证记录需要位于适当委派的公共区域中。因此,如果您拥有mine.com,然后想要创建一个名为stuff.mine.com 的区域,那么您需要在mine.com 中为stuff.mine.com 设置NS 记录,该记录指向您所在的stuff.mine.com 区域的NS 服务器。 t 在此处执行并且未使用已配置的区域。

否则,将在您的区域中创建记录,但该区域未正确委派,因此将无法解析这些记录。您应该能够通过尝试自己解决它们或使用外部解析器工具(例如 MX Toolbox)来对此进行测试。

这里可能需要考虑很多事情,但您可能希望设置一个包含您想要创建的最终记录的区域(因此指向您想要证书的 Web 服务器/负载均衡器的记录加上 ACM域验证记录)分开,然后只需使用 aws_route53_zone data source 引用该区域,以便在那里创建您的域验证记录。

【讨论】:

  • 所以我的证书仅用于 AWS Client VPN,即 Terraform 中的 aws_ec2_client_vpn_endpoint。我们不会在我们的 VPC 内提供任何公共服务。由于我们的证书仅用于私有 VPN,所以我们无法使用私有 DNS 做到这一点吗?
  • 否,因为 ACM 验证器需要从面向公众的端点解析您的记录。 ACME protocol's DNS challenge 的工作方式类似,因为您需要面向公众的记录来验证您是否拥有该区域。如果它与私有区域一起使用,您将能够为您不拥有的域颁发证书,这会破坏挑战的重点。您仍然可以为私人使用(例如内部 ALB)颁发证书,但质询记录需要位于等效的公共区域中。
猜你喜欢
  • 2020-10-26
  • 2019-10-20
  • 2018-02-08
  • 1970-01-01
  • 1970-01-01
  • 2022-10-05
  • 2023-02-14
  • 2021-12-19
  • 2019-10-04
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode