* aws_acm_certificate_validation.cert: Expected certificate to be issued but was in state PENDING_VALIDATION

[mohamednazar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.11.2

Affected Resource(s)

• aws_acm_certificate_validation.cert: Expected certificate to be issued but was in state PENDING_VALIDATION

Terraform Configuration Files

resource "aws_acm_certificate" "cert" {
domain_name = "${var.api_record_name}"
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = [
"${aws_route53_record.cert_validation.fqdn}"
]
}
resource "aws_route53_record" "cert_validation" {
provider = "aws.ppas"
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
zone_id = "${var.zoneid}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
}

Debug Output

[03:51:15]Error: Error applying plan:
[03:51:15]
[03:51:15]1 error(s) occurred:
[03:51:15]
[03:51:15]* aws_acm_certificate_validation.cert: 1 error(s) occurred:
[03:51:15]
[03:51:15]* aws_acm_certificate_validation.cert: Expected certificate to be issued but was in state PENDING_VALIDATION

Panic Output

[03:51:15]Error: Error applying plan:
[03:51:15]
[03:51:15]1 error(s) occurred:
[03:51:15]
[03:51:15]* aws_acm_certificate_validation.cert: 1 error(s) occurred:
[03:51:15]
[03:51:15]* aws_acm_certificate_validation.cert: Expected certificate to be issued but was in state PENDING_VALIDATION

Expected Behavior

ACM Certificate has to be validated automatically, but it shows "PENDING_VALIDATION" in AWS console

Actual Behavior

ACM certificate still shows "PENDING_VALIDATION"

[bflad]

Hi @mohamednazar 👋 Approximately how long did the resource wait before returning that error? That error should only return when it has retried checking the ACM Certificate validation status repeatedly for 45 minutes by default. Generally ACM Certificate validation should complete before then, but if not, it seems to suggest that either ACM was running slow at the time or somehow a misconfiguration of the validation DNS records.

Can you let us know? Thanks.

[hwh23312]

This so messed up I jus wantbwhat I want

[obourdon]

@mohamednazar we have been having these kind of issues from time to time in our deployments. It could take up to over 1 hour so that the ACM certificate gets validated. This kind of error does not seem predictible. Here is the comment I have put in our code source after discussing with AWS experts about this:

    Due to AWS certificate validation procedure which retries validation
    after around 2mn, 5mn, 10mn, 20mn, 50mn in the 1st hour, this fix
    prevents the default timeout of 45mn to occur if the AWS certification
    takes longer than usual.
    Note that even if the new timeout occurs, relaunching the deployment
    should succeed once certificate gets finally validated.

and the change

 resource "aws_acm_certificate_validation" "internal" {
   certificate_arn         = "${aws_acm_certificate.internal.arn}"
   validation_record_fqdns = ["${aws_route53_record.internal_cert_validation.fqdn}"]
+
+  timeouts {
+    create = "60m"
+  }
 }

HTH

[bflad]

If folks are consistently running into this with the default timeout of 45 minutes, we would happily accept a patch to increase the default timeout in these two places:

• aws/resource_aws_acm_certificate_validation.go (line 37 currently)
• website/docs/r/acm_certificate_validation.html.markdown (Timeouts section)

[johnhpatton]

+1

[IngussNeilands]

+1

[deanshelton913]

Yup. 45m is not enough, like you said.
Mine took 45min then timed out.

aws_acm_certificate_validation.default: Still creating... [44m51s elapsed]
...
Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

Also @IngussNeilands and @johnhpatton, as OP instructs, please use the thumbs up reaction button vs. the comments of "+1", which just crowd the comment section. Thanks!

[sethfloydjr]

I tried adding the timeouts as mentioned above and it still failed for me at 60 mins. I tried it twice...

module.tripfloyd.aws_acm_certificate_validation.tripfloyd_cert: Still creating... [59m52s elapsed]

Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

  on tripfloyd/ACM.tf line 6, in resource "aws_acm_certificate_validation" "tripfloyd_cert":
   6: resource "aws_acm_certificate_validation" "tripfloyd_cert" {

Ive resorted to creating the cert with terraform and then manually validating it. Not ideal. Would love to see this fixed.

[benits]

I'm having this same problem, did anyone get a solution?

`
module.hub-infra.aws_acm_certificate_validation.cert: Still creating... [44m52s elapsed]
module.hub-infra.aws_acm_certificate_validation.cert: Still creating... [45m2s elapsed]

Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

on ..\modules\hub-infra\certificate.tf line 24, in resource "aws_acm_certificate_validation" "cert":
24: resource "aws_acm_certificate_validation" "cert" {
`

[dominicfarr]

Same issue here unfortunately.

aws_acm_certificate_validation.cert_validation: Still creating... [44m51s elapsed]

│ Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
│
│   with aws_acm_certificate_validation.cert_validation,
│   on route_acm.tf line 61, in resource "aws_acm_certificate_validation" "cert_validation":
│   61: resource "aws_acm_certificate_validation" "cert_validation" {

resource "aws_acm_certificate" "ssl_certificate" {
  provider                  = aws.acm_provider
  domain_name               = var.domain_name
  validation_method         = "DNS"

  tags = var.common_tags

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "main" {
  for_each = {
    for dvo in aws_acm_certificate.ssl_certificate.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = aws_route53_zone.main.zone_id
}

resource "aws_acm_certificate_validation" "cert_validation" {
  provider                = aws.acm_provider
  certificate_arn         = aws_acm_certificate.ssl_certificate.arn
  validation_record_fqdns = [for record in aws_route53_record.main : record.fqdn]
}

[tnorlund]

I got around this by using east-1 and doing it a few times. This process should really be done through the console, but it's nice to have it managed by IAC.

[AshkanSandoval]

I got around this by using east-1 and doing it a few times. This process should really be done through the console, but it's nice to have it managed by IAC.

I know you from https://medium.com/runatlantis/hosting-our-static-site-over-ssl-with-s3-acm-cloudfront-and-terraform-513b799aec0f got the same issues

[vadlungu]

have anyone found a solution on this ?
we are facing the same issue

Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

[vadlungu]

we found the solution of our issue , we was creating an zone , this zone was not delegated with proper ns (du the fact that it was in an other aws account , and was not managed by same terraform), after proper delegation , everything started to work fine

[breathingdust]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

[Sebasroes]

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.