2

I have the terraform definition:

resource "aws_api_gateway_domain_name" "apigatewatDomainName" {
  domain_name              = servername.companyname.com
  certificate_arn = "arn:aws:acm:us-east-1:12345566:certificate/dddddd-3333-4444-5555 0123456789a"
}

When I apply the terraform I am getting the error:

Error: Error creating API Gateway Domain Name: BadRequestException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add.

When I apply the command

aws acm describe-certificate --certificate-arn <certificate-arn>

I am getting in the description

"DomainValidationOptions": [
        {
            "ValidationStatus": "SUCCESS",
            "ResourceRecord": {
                "Type": "CNAME",
                "Name": "_88f0a9b77497411fd26c281d7d61fbd9.servername.companyname.com",
                "Value": "_4cee246cb2515f9a0c1f101edaee900e.hkvuiqjoua.acm-validations.aws."
            },
            "ValidationDomain": "*.servername.companyname.com",
            "ValidationMethod": "DNS",
            "DomainName": "*.servername.companyname.com"
        }
    ], 

Also, in this description I see

"SubjectAlternativeNames": [
        "*.servername.companyname.com"
    ],

So, I assume that I can create a domain like “aaa.servername.companyname.com”, so I specified resource 

"aws_api_gateway_domain_name" "aaa.servername.companyname.com" {

But terraform does not allow to have dots in a resource name, I see the error

“A name must start with a letter or underscore and may contain only letters, digits, underscores, and dashes.”

Improve this question

1 Answer 1

Reset to default
3

It seems that your domain servername.companyname.com is not covered by a ACM certificate issued for for *.servername.companyname.com.

About wildcard names from docs:

When you request a wildcard certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com).

Also from the same docs:

However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects example.com and *.example.com

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I think that the certificate covers the *.servername.companyname.com. The problem is that I cannot specify the aa.servername.companyname.com in the terraform name
@Alex For aws_api_gateway_domain_name you use servername.companyname.com domain. Which, according to docs, is not covered by *.servername.companyname.com, explaining your error message: "certificate that is attached to your distribution doesn't cover".

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.