AWS Certificate Manager Pending Validation when DNS validation is successful - amazon-web-services

Resolved! - Ended up just needing to contact Amazon Support to push it through.
I'm attempting to renew a certificate created in AWS Certificate Manager (ACM), but I'm stuck in the dreadful PENDING_VALIDATION status; this is a DNS validated certificate where I validated using the CNAME record.
Under domains I can see the domain validation has a status of Success and Renewal Status of Success
If I run aws acm describe-certificate --certificate-arn "examplearn", I get a return showing DomainValidationOptions with the ValidationStatus being success for the CNAME validation.
Replaced with "example" for sensitive values
{
"Certificate": {
"CertificateArn": "arn:aws:acm:us-east-1:example:certificate/certid",
"DomainName": "*.example.com",
"SubjectAlternativeNames": [
"*.example.com"
],
"DomainValidationOptions": [
{
"DomainName": "*.example.com",
"ValidationDomain": "*.example.com",
"ValidationStatus": "SUCCESS",
"ResourceRecord": {
"Name": "examplename",
"Type": "CNAME",
"Value": "examplevalue"
},
"ValidationMethod": "DNS"
}
],
"Serial": "",
"Subject": "CN=*.example.com",
"Issuer": "Amazon",
"CreatedAt": "2019-01-17T12:53:01-08:00",
"IssuedAt": "2021-10-22T21:21:50.177000-07:00",
"Status": "ISSUED",
"NotBefore": "2021-10-22T17:00:00-07:00",
"NotAfter": "2022-11-23T15:59:59-08:00",
"KeyAlgorithm": "RSA-2048",
"SignatureAlgorithm": "SHA256WITHRSA",
"InUseBy": [
"example",
"example",
"example",
"example"
],
"Type": "AMAZON_ISSUED",
"RenewalSummary": {
"RenewalStatus": "PENDING_VALIDATION",
"DomainValidationOptions": [
{
"DomainName": "*.example.com",
"ValidationDomain": "*.example.com",
"ValidationStatus": "SUCCESS",
"ResourceRecord": {
"Name": "examplename",
"Type": "CNAME",
"Value": "examplevalue"
},
"ValidationMethod": "DNS"
}
],
"UpdatedAt": "2022-09-21T23:39:15.161000-07:00"
},
"KeyUsages": [
{
"Name": "DIGITAL_SIGNATURE"
},
{
"Name": "KEY_ENCIPHERMENT"
}
],
"ExtendedKeyUsages": [
{
"Name": "TLS_WEB_SERVER_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.1"
},
{
"Name": "TLS_WEB_CLIENT_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.2"
}
],
"RenewalEligibility": "ELIGIBLE",
"Options": {
"CertificateTransparencyLoggingPreference": "ENABLED"
}
}
}
Followed instructions successfully in https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ (checking cname response exactly matches what is in acm CNAME values when copy pasting)
The site domain registration is in Route 53 with NS pointing to cloudflare, where DNS is managed.
Is there something obvious that pops out to you? Thank you!

Related

Get errorType:OK when trying to deploy function

I'm struggling to deploy my cloud function. I'm unsure what information to provide. My set up:
# main.py
def callRequest():
print("bla")
return(1)
Entry point for the function is callRequest.
After failing to deploy I see this red highlighted message under details:
Deployment failure:
Build failed: {"metrics":{},"error":{"buildpackId":"","buildpackVersion":"","errorType":"OK","canonicalCode":"OK","errorId":"","errorMessage":""},"stats":[{"buildpackId":"google.utils.archive-source","buildpackVersion":"0.0.1","totalDurationMs":47,"userDurationMs":46},{"buildpackId":"google.python.runtime","buildpackVersion":"0.9.1","totalDurationMs":9487,"userDurationMs":6307},{"buildpackId":"google.python.functions-framework","buildpackVersion":"0.9.6","totalDurationMs":53,"userDurationMs":52},{"buildpackId":"google.python.pip","buildpackVersion":"0.9.2","totalDurationMs":5832,"userDurationMs":5822},{"buildpackId":"google.utils.label","buildpackVersion":"0.0.2","totalDurationMs":0,"userDurationMs":0}],"warnings":null,"customImage":false}
In the logs I see a notice related to the attempted deploy:
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "myname#bla.com"
},
"requestMetadata": {
"callerIp": "152.170.106.184",
"callerSuppliedUserAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0,gzip(gfe),gzip(gfe)",
"requestAttributes": {
"time": "2023-01-11T13:15:30.667011Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "cloudfunctions.googleapis.com",
"methodName": "google.cloud.functions.v1.CloudFunctionsService.UpdateFunction",
"authorizationInfo": [
{
"resource": "projects/my-project/locations/us-central1/functions/ga4-to-s3-1",
"permission": "cloudfunctions.functions.update",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/my-project/locations/us-central1/functions/ga4-to-s3-1",
"request": {
"updateMask": "entryPoint,sourceUploadUrl",
"#type": "type.googleapis.com/google.cloud.functions.v1.UpdateFunctionRequest",
"function": {
"name": "projects/my-project/locations/us-central1/functions/ga4-to-s3-1",
"runtime": "python39",
"serviceAccountEmail": "my-project#appspot.gserviceaccount.com",
"availableMemoryMb": 256,
"maxInstances": 3000,
"timeout": "60s",
"eventTrigger": {
"eventType": "google.pubsub.topic.publish",
"resource": "projects/my-project/topics/ga4-daily-extract-complete"
},
"secretEnvironmentVariables": [
{
"version": "latest",
"key": "PAT",
"secret": "PAT-GA4-S3-Extract",
"projectId": "1234567"
}
],
"sourceUploadUrl": "https://storage.googleapis.com/uploads-1234567.us-central1.cloudfunctions.appspot.com/123-456-789-abc-def.zip?GoogleAccessId=service-123456789#gcf-admin-robot.iam.gserviceaccount.com&Expires=12345&Signature=kjhgfghjkjhg%iuytfrghj8765467uhgfdfghj",
"entryPoint": "callRequest",
"ingressSettings": "ALLOW_ALL"
}
},
"resourceLocation": {
"currentLocations": [
"us-central1"
]
}
},
"insertId": "nlbq4xd9dhq",
"resource": {
"type": "cloud_function",
"labels": {
"project_id": "my-project",
"function_name": "ga4-to-s3-1",
"region": "us-central1"
}
},
"timestamp": "2023-01-11T13:15:30.423213Z",
"severity": "NOTICE",
"logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "operations/Z2E0LWV4dHJhY3QvdXMtY2VudHJhbDEvZ2E0LXRvLXMzLTEvbHA2QlowNzBTekk",
"producer": "cloudfunctions.googleapis.com",
"first": true
},
"receiveTimestamp": "2023-01-11T13:15:31.626931279Z"
}
I'm unsure where else to look? Any pointers or advice most welcome.
Found the similar issue discussed here and the issue resolved.
cloud build service account was missing the Cloud Build Service Account role.
I tried removing the Cloud Build Service Account role and deployed the function, I also got the same deployment errors
Try adding the Cloud Build Service Account role for the Google Cloud Build Service Account (project-number#cloudbuild.gserviceaccount.com) in the Google Cloud IAM console . This fixed symptom of a cloud function deploy with the message:
message=Build failed: {
"metrics":{},
"error":{
"buildpackId":"",
"buildpackVersion":"",
"errorType":"OK",
"canonicalCode":"OK",
"errorId":"",
"errorMessage":""
}
}
Also have a look at this github link1 & link2 which might help

AWS Lambda cannot connect to AWS services in VPC

I've a lambda in VPC to access Amazon DocDB, but failed to access any resource in VPC. I've read the official guide for days still didn't fix this issue.
I checked all vpc configurations according to Official Guide but got no luck.
VPC is assigned when creating lambda.
Could anyone give me some help on the lambda configurations ? :)
def access_mongodb(event, context):
url = event.get('url')
if url:
db = event.get('db')
coll = event.get('collection')
query = event.get('query')
limit = int(event.get('limit'))
try:
with Mongo(url=url, db=db) as conn:
logger.info('Lambda Start query with Mongo')
for row in conn[coll].find(query).limit(limit):
logger.info(f'got row => {json.dumps(row, default=str)}')
except Exception as e:
logger.error(f'Got exception {e}')
else:
logger.info('Lambda End with out Mongo')
Errors:
Got exception No servers found yet, Timeout: 2.0s, Topology Description: <TopologyDescription id: 62b5186720247fb7d69a0765, topology_type: Single, servers: [<ServerDescription ('docdb-test.xxxx-southeast-1.docdb.amazonaws.com', 27017) server_type: Unknown, rtt: None>]>
Configurations:
aws lambda get-function-configuration --function-name hello_py3
{
"FunctionName": "hello_py3",
"FunctionArn": "arn:aws:lambda:ap-southeast-1:592017647781:function:hello_py3",
"Runtime": "python3.9",
"Role": "arn:aws:iam::592017647781:role/service-role/hello_py3-role-xh39m23g",
"Handler": "lambda_function.lambda_handler",
"CodeSize": 5701329,
"Description": "",
"Timeout": 10,
"MemorySize": 128,
"LastModified": "2022-06-24T01:26:48.000+0000",
"CodeSha256": "VLwda8fP2DM62/y4Ouy9/U3KpzvfSRWoH7ocCwl1G6g=",
"Version": "$LATEST",
"VpcConfig": {
"SubnetIds": [
"subnet-08dacd9b6970624aa",
"subnet-09f80e8227735f6cf",
"subnet-028392620db2f9753"
],
"SecurityGroupIds": [
"sg-0002ee69773ca6f9d"
],
"VpcId": "vpc-0eee2636f691ad96b"
},
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "55af10eb-f777-4ba9-aea5-05a010ce7637",
"State": "Active",
"LastUpdateStatus": "Successful",
"PackageType": "Zip",
"Architectures": [
"x86_64"
],
"EphemeralStorage": {
"Size": 512
}
}
aws iam list-attached-role-policies --role-name hello_py3-role-xh39m23g
{
"AttachedPolicies": [
{
"PolicyName": "AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503",
"PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503"
},
{
"PolicyName": "AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce",
"PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce"
}
]
}
aws ec2 describe-vpcs --vpc-ids vpc-0eee2636f691ad96b
{
"Vpcs": [
{
"CidrBlock": "172.31.0.0/16",
"DhcpOptionsId": "dopt-0b9edd5b6deafa0db",
"State": "available",
"VpcId": "vpc-0eee2636f691ad96b",
"OwnerId": "592017647781",
"InstanceTenancy": "default",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0200675b36f061104",
"CidrBlock": "172.31.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": true
}
]
}
aws ec2 describe-security-groups --group-ids sg-0002ee69773ca6f9d
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"FromPort": 80,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 80,
"UserIdGroupPairs": []
},
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-0047473f289f0ffd3",
"UserId": "592017647781"
},
{
"GroupId": "sg-031e0901b061eb92d",
"UserId": "592017647781"
},
{
"GroupId": "sg-03f39f48c7887e46b",
"UserId": "592017647781"
},
{
"GroupId": "sg-07d8dbe45e3e81e44",
"UserId": "592017647781"
}
]
}
],
"OwnerId": "592017647781",
"GroupId": "sg-0002ee69773ca6f9d",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0eee2636f691ad96b"
}
]
}
UPDATE:
I finally figure it out by applying ReachabilityAnalyzer, and it was proved to be my fault on confusing configuration items. This is a very helpful tool, guys have same issue can try to use this tool to help themselves out.
Thanks John for help.
You appear to be using a single Security Group for both the AWS Lambda function and the DocDB database. I think your Security Group is missing Outbound permissions, which be restricting traffic from the Lambda function.
The typical security setup would be:
A security group on the AWS Lambda function (Lambda-SG) that permits all Outbound access
A security group on the DocDB (DB-SG) that permits Inbound access from Lambda-SG on port 27017
Could you please check the connection from the lambda subnet to documentdb subnet and there sg & nacl just to confirm that lambda can connect to the documentdb using port 27017.
Thanks,
Chinmoy Layek

10060 error when connecting MariaDB on VM on Compute Engine of Google Cloud Platform

Created a VM on Compute Engine of Google Cloud Platform.
Installed Maria DB. Configured binding to 0.0.0.0.
Created a firewall rule to allow access to 3306 in the IP ranged 0.0.0.0/0. Tagged it as "mysql-open" and Added it as a network tag in the VM instance detail. I also chose the option to log the connection.
When I try to connect from MySQL workbench to the public address of the VM Instance with 3306 as the Port, I get a
10060 error.
The user ID used to connect was given full GRANT and was like 'testuser'#'%'.
Below is the log entry. Which seems to show that the firewall rule worked.
"insertId": "epk9z8g1zjxknf",
"jsonPayload": {
"instance": {
"project_id": "XXXX",
"vm_name": "XXX",
"region": "us-east4",
"zone": "us-east4-c"
},
"connection": {
"src_port": 44826,
"dest_ip": "10.150.0.5",
"protocol": 6,
"dest_port": 3306,
"src_ip": "198.199.98.246"
},
"remote_location": {
"city": "San Francisco",
"continent": "America",
"country": "usa",
"region": "California"
},
"rule_details": {
"priority": 2000,
"ip_port_info": [
{
"port_range": [
"3306"
],
"ip_protocol": "TCP"
}
],
"source_range": [
"0.0.0.0/0"
],
"reference": "network:default/firewall:mysql-open",
"action": "ALLOW",
"direction": "INGRESS"
},
"vpc": {
"project_id": "XXXX",
"vpc_name": "default",
"subnetwork_name": "default"
},
"disposition": "ALLOWED"
},
"resource": {
"type": "gce_subnetwork",
"labels": {
"subnetwork_id": "2510359252254555075",
"project_id": "XXXX",
"subnetwork_name": "default",
"location": "us-east4-c"
}
},
"timestamp": "2020-11-05T14:12:33.819891417Z",
"logName": "projects/XXXX/logs/compute.googleapis.com%2Ffirewall",
"receiveTimestamp": "2020-11-05T14:12:39.166067521Z"
}

Create Route53 record from command line using aws-cli

How can I easily create an Amazon AWS Route53 from command line? It takes too long to click around in the web console.
You need to know the hosted zone id. List your hosted zones:
$ aws route53 list-hosted-zones
The output should be:
{
"HostedZones": [
{
"Id": "/hostedzone/ZFYKW933LX916",
"Name": "example.com.",
"CallerReference": "C4E8C4F3-5265-4248-B324-807A4AB90ABC",
"Config": {
"PrivateZone": false
},
"ResourceRecordSetCount": 39
},
{
"Id": "/hostedzone/Z6JTNNZOHT191",
"Name": "example.net.",
"CallerReference": "A4001EE9-C0FD-F484-9F8D-688F681EFDEF",
"Config": {
"PrivateZone": false
},
"ResourceRecordSetCount": 16
}
]
}
Now you need to create a change batch:
$ aws --profile messa route53 change-resource-record-sets --hosted-zone-id /hostedzone/ZFYKW933LX916 --change-batch '{"Changes": [ { "Action": "UPSERT", "ResourceRecordSet": { "Name": "foobar.example.com", "Type": "A", "TTL": 3600, "ResourceRecords": [{ "Value": "11.222.33.44" }] } } ]}'
The output should be:
{
"ChangeInfo": {
"Id": "/change/C2T36TTVOVS7KX",
"Status": "PENDING",
"SubmittedAt": "2020-02-12T12:54:43.056Z"
}
}

Google Reports API activities.list gives ipAddress: 0.1.0.40

While retrieving audit events from activities.list() in Google Apps Admin SDK, some activities have their ipAddress field as 0.1.0.40 and 0.1.0.0. In what cases could this be the source IP address, since they seem to be private or restricted IP addresses?
{
"kind": "admin#reports#activities",
"etag": "\"6KGrH_UY2JDZNpgjPKUOF8yJF1A/l6ZMtXXRXWtSeG8M3t2g4k5pUaY\"",
"items": [
{
"kind": "admin#reports#activity",
"id": {
"time": "2016-12-28T11:23:26.269Z",
"uniqueQualifier": "2877532833757184598",
"applicationName": "drive",
"customerId": "C01c818ge"
},
"etag": "\"6KGrH_UY2JDZNpgjPKUOF8yJF1A/7lASgpMTSWwMHfLg8I4-s07wD_Q\"",
"actor": {
"email": "def#abc.com",
"profileId": "115227377397945077346"
},
"ipAddress": "0.1.0.40",
"events": [
{
"type": "access",
"name": "create",
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "owner",
"value": "def#abc.com"
},
{
"name": "doc_id",
"value": "0ByoIcq_NoMgZDY19wc2RnZE0"
},
{
"name": "doc_type",
"value": "unknown"
},
{
"name": "doc_title",
"value": "Untitled"
},
{
"name": "owner_is_team_drive",
"boolValue": false
}
]
}
]
}
]
}
From this documentation, it is stated here that the "ipAddress" properties contains the user's IP address. And from this Activities: list, it contains IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into G Suite which may or may not reflect the user's physical location. For example, the IP address can be the user's proxy server's address or a virtual private network (VPN) address. The API supports IPv4 and IPv6.