【发布时间】:2021-12-19 21:29:38
【问题描述】:
在开始之前,让我说,我仔细阅读了附录中的所有堆栈溢出帖子和资源,但找不到解决问题的方法。
我正在尝试通过Route53 和AWS Certificate Manager 创建、验证和连接子域。子域是challenge.sre.mycompany.com。
terraform 计划如下所示:
# module.project_challenge.module.challenge-certificate.aws_acm_certificate.cert will be created
+ resource "aws_acm_certificate" "cert" {
+ arn = (known after apply)
+ domain_name = "challenge.sre.mycompany.com"
+ domain_validation_options = [
+ {
+ domain_name = "challenge.sre.mycompany.com"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
]
+ id = (known after apply)
+ status = (known after apply)
+ subject_alternative_names = (known after apply)
+ tags_all = (known after apply)
+ validation_emails = (known after apply)
+ validation_method = "DNS"
}
# module.project_challenge.module.challenge-certificate.aws_acm_certificate_validation.cert will be created
+ resource "aws_acm_certificate_validation" "cert" {
+ certificate_arn = (known after apply)
+ id = (known after apply)
+ validation_record_fqdns = (known after apply)
}
# module.project_challenge.module.challenge-certificate.aws_route53_record.cert["challenge.sre.mycompany.com"] will be created
+ resource "aws_route53_record" "cert" {
+ allow_overwrite = true
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ records = (known after apply)
+ ttl = 60
+ type = (known after apply)
+ zone_id = (known after apply)
}
# module.project_challenge.module.vpc.aws_route53_zone.public will be created
+ resource "aws_route53_zone" "public" {
+ arn = (known after apply)
+ comment = "Managed by Terraform"
+ force_destroy = false
+ id = (known after apply)
+ name = "sre.mycompany.com"
+ name_servers = (known after apply)
+ tags_all = (known after apply)
+ zone_id = (known after apply)
}
如您所见,它创建了一个公共托管区域、一个 acm 证书甚至是验证记录。这里的问题是证书在“等待验证”上停留了大约 48 小时。
一些细节:
- 该域是通过我们的生产帐户注册的,为此我正在使用我们的开发帐户。
- 两个账户都在同一个 AWS 组织中(如果这很重要)
- Terraform 使用以下属性创建了一个公共托管区域
sre.mycompany.com:
sre.mycompany.com NS Records:
ns-001.awsdns-01.com.
ns-002.awsdns-02.net.
ns-003.awsdns-03.co.uk.
ns-004.awsdns-04.org.
sre.mycompany.com SOA Simple Record:
ns-001.awsdns-01.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
CNAME Simple Record
_g938534f3gfe03832h34.challenge.sre.mycompany.com _89432htieh4934hw043f.tkfpekghn.acm-validations.aws.
显然真实值被混淆了*
当我 dig sre.mycompany.com 或 dig challenge.sre.mycompany.com 我得到:
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16577
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
当我只挖掘mycompany.com 时,我得到:
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61857
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mycompany.com. IN A
;; ANSWER SECTION:
mycompany.com. 300 IN A <some-ip-hidden>
;; AUTHORITY SECTION:
mycompany.com. 169554 IN NS ns-555.awsdns-55.com.
mycompany.com. 169554 IN NS ns-666.awsdns-66.net.
mycompany.com. 169554 IN NS ns-777.awsdns-77.org.
mycompany.com. 169554 IN NS ns-888.awsdns-88.co.uk.
请注意,这里的名称服务器与我在 terraform 创建的托管区域的控制台中看到的不同(滚动到 ns-001.awsdns-01.com. 等上方)
我似乎无法从我的终端获取 CNAME 记录。
另一方面,在 AWS 中,一切似乎都运行良好。当我去:
Route 53> Hosted zones > Test Record我确实得到了 CNAME 记录的值:
Route 53 返回的响应 Route 53 的响应基于以下选项。
托管区域: sre.mycompany.com 记录名称: _g938534f3gfe03832h34.challenge。
记录类型: CNAME DNS 响应代码: 无错误 协议: UDP Route 53 返回的响应: _89432htieh4934hw043f.tkfpekghn.acm-validations.aws。
最后如果我,响应是:
;; Received 888 bytes from <some-ip-hidden>#53(ns-666.awsdns-66.net) in 3 ms
mycompany.com. 169201 IN NS ns-666.awsdns-66.net.
mycompany.com. 169201 IN NS ns-777.awsdns-77.org.
mycompany.com. 169201 IN NS ns-888.awsdns-88.co.uk.
mycompany.com. 169201 IN NS ns-555.awsdns-55.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 888 bytes from <some-ip-hidden>#53(ns-888.awsdns-88.co.uk) in 4 ms
mycompany.com. 169201 IN NS ns-777.awsdns-77.org.
mycompany.com. 169201 IN NS ns-666.awsdns-66.net.
mycompany.com. 169201 IN NS ns-888.awsdns-88.co.uk.
mycompany.com. 169201 IN NS ns-555.awsdns-55.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 888 bytes from <some-ip-hidden>#53(ns-555.awsdns-55.com) in 4 ms
mycompany.com. 169201 IN NS ns-666.awsdns-66.net.
mycompany.com. 169201 IN NS ns-777.awsdns-77.org.
mycompany.com. 169201 IN NS ns-555.awsdns-55.com.
mycompany.com. 169201 IN NS ns-888.awsdns-88.co.uk.
;; BAD (HORIZONTAL) REFERRAL
;; Received 888 bytes from <some-ip-hidden>#53(ns-888.awsdns-88.co.uk) in 4 ms
mycompany.com. 169201 IN NS ns-777.awsdns-77.org.
mycompany.com. 169201 IN NS ns-666.awsdns-66.net.
mycompany.com. 169201 IN NS ns-888.awsdns-88.co.uk.
mycompany.com. 169201 IN NS ns-555.awsdns-55.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 888 bytes from <some-ip-hidden>#53(ns-777.awsdns-77.org) in 5 ms
mycompany.com. 169201 IN NS ns-777.awsdns-77.org.
mycompany.com. 169201 IN NS ns-888.awsdns-88.co.uk.
mycompany.com. 169201 IN NS ns-555.awsdns-55.com.
mycompany.com. 169201 IN NS ns-666.awsdns-66.net.
;; BAD (HORIZONTAL) REFERRAL
要点:
- 我无法通过终端的任何命令获取 CNAME
- 证书未验证
附录
- Certificate in Pending state in AWS Certificate Manager
- Certificate with DNS Validation is stuck in Pending Validation
- AWS ACM certificate state is pending validation and not changing to issues
- My domain is pending validation in AWS Certificate Manager
- AWS ACM Stuck in Pending Validation Unless NS Changed in Domain
- Resolve ACM certificate still pending
【问题讨论】:
-
这个答案对你有帮助吗? stackoverflow.com/questions/57644466/…
-
感谢@BenWhaley,但我似乎无法在那里找到解决方案。
-
你可以让它在 AWS 控制台中手动工作吗?也就是说,问题只出在TF代码上,顺便没有展示出来。
-
@Marcin 我只是非常详细地重写了这个问题,不,我不能让它在 AWS 控制台中工作。
-
@Dimitris 将托管区域与您的实际域连接起来(我猜它在不同的提供商中),您需要获取托管区域 mycompany.com 的名称服务器并将它们放到您的第 3 方提供商。我猜你做对了吗?
标签: amazon-web-services terraform amazon-route53 terraform-provider-aws amazon-certificate-manager