AWS certificate renewal failed, problem trying to update CNAME records

2
votes

I received an email from AWS:

To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below

So I went to https://ap-northeast-2.console.aws.amazon.com/acm/ and grabbed the CNAME and tried to create a CNAME record in route-53

It fails with message

[RRSet of type CNAME with DNS name example.kr. is not permitted at apex in zone example.kr.]

I have a A record for example.kr which I created by following directions in https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

RRSet of type CNAME with DNS name foo.com. is not permitted at apex in zone bar.com says I'm getting the error message because I have SOA record for the domain, I have no idea why I have this record, and if I need it or not.

Can I simply delete SOA record and proceed or should I take different steps?

1
amazon-web-servicesamazon-route53amazon-elb
Hi, so what is your hosted zone in the case above? zone.bar.com or bar.com?Chris Williams
bar.com it is @mokugo-devopseugene
Hi, could you possibly try to update your DNS names in the question to match. There seems to be 3 domains, example.kr, foo.com and zone.bar.com. If they're meant to be all part of the same domain please update it so that it is visible.Chris Williams
it's all same domain. example.kr (bar.com is in the title of another SO question)eugene

1 Answers

1
votes

It seems to me that the error you're seeing is because you're setting a CNAME on your root record (referred to as Apex record). This should be an A record (or Alias record in Route 53 when possible).

For validating your certificate via CNAME you will be given both a CNAME record and a value.

The CNAME record should start with an underscore followed by a large hash such as

_a79865eb4cd1a6ab990a45779b4e0b96.yourdomain.com.

If using Route 53 you should only need to enter _a79865eb4cd1a6ab990a45779b4e0b96 as the domain name of type CNAME

You would then have a value similar to _x2.acm-validations.aws.. This would need to be your value.