2

I received an email from AWS:

To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below

So I went to https://ap-northeast-2.console.aws.amazon.com/acm/ and grabbed the CNAME and tried to create a CNAME record in route-53

It fails with message

[RRSet of type CNAME with DNS name example.kr. is not permitted at apex in zone example.kr.]

I have a A record for example.kr which I created by following directions in https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

RRSet of type CNAME with DNS name foo.com. is not permitted at apex in zone bar.com says I'm getting the error message because I have SOA record for the domain, I have no idea why I have this record, and if I need it or not.

Can I simply delete SOA record and proceed or should I take different steps?

eugene
  • 33,301
  • 47
  • 188
  • 382

1 Answers1

1

It seems to me that the error you're seeing is because you're setting a CNAME on your root record (referred to as Apex record). This should be an A record (or Alias record in Route 53 when possible).

For validating your certificate via CNAME you will be given both a CNAME record and a value.

The CNAME record should start with an underscore followed by a large hash such as

_a79865eb4cd1a6ab990a45779b4e0b96.yourdomain.com.

If using Route 53 you should only need to enter _a79865eb4cd1a6ab990a45779b4e0b96 as the domain name of type CNAME

You would then have a value similar to _x2.acm-validations.aws.. This would need to be your value.

Chris Williams
  • 23,842
  • 4
  • 14
  • 39