我的域正在等待 AWS Certificate Manager 中的验证

My domain is pending validation in AWS Certificate Manager

使用 AWS Certificate Manager 配置 *.mydomain.com 并在等待验证中显示超过一天,即使 CNAME 记录已发布到域名下的 AWS Route53。一切似乎都合适但不清楚,为什么域没有得到验证

注意:域也是使用 AWS Route53 创建的

挖mydomain.com

; <<>> DiG 9.10.6 <<>> mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  A

;; AUTHORITY SECTION:
com.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619360121 1800 900 604800 86400

;; Query time: 457 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Apr 25 19:45:39 IST 2021
;; MSG SIZE  rcvd: 112

挖掘mydomain.com任何

; <<>> DiG 9.10.6 <<>> mydomain.com ANY
;; global options: +cmd
;; connection timed out; no servers could be reached

挖掘mydomain.com+追踪

dig mydomain.com +trace

; <<>> DiG 9.10.6 <<>> mydomain.com +trace
;; global options: +cmd
.           359116  IN  NS  e.root-servers.net.
.           359116  IN  NS  k.root-servers.net.
.           359116  IN  NS  d.root-servers.net.
.           359116  IN  NS  f.root-servers.net.
.           359116  IN  NS  a.root-servers.net.
.           359116  IN  NS  g.root-servers.net.
.           359116  IN  NS  c.root-servers.net.
.           359116  IN  NS  b.root-servers.net.
.           359116  IN  NS  i.root-servers.net.
.           359116  IN  NS  h.root-servers.net.
.           359116  IN  NS  l.root-servers.net.
.           359116  IN  NS  m.root-servers.net.
.           359116  IN  NS  j.root-servers.net.
.           359116  IN  RRSIG   NS 8 0 518400 20210508050000 20210425040000 14631 . VRowJ98FAdfO9wGKjJRrm1llMgqsIy2i9NQ9teQyO4J71s5S2NdD/GG7 x4ssMnkmZ1BSVE8jWQjP2uPuzYxK++ILDLM5pjCdbpbcJlOQSqWgAF0a zCjHmGuh14r29m0C8jm+mqRZ83ioEtcYgzmiEMLzREx7OCYZM14XnP2o l5aSe1Cx495WGCGvy8E1ugUn5ZAUygdduDVGHBeNWApfAAKqmTttnO0m YBCzVTgvzPJecHcdiuTZrpDTtfzgCb9tMAd5+QUdfPMTsb4cKisAvd8a m7lGdrgV1dQiwzwL2urSJpToA3N2pVpuPuFtcpt5O8vvUjEcOihgOfaT VudmBg==
;; Received 1097 bytes from 192.168.1.1#53(192.168.1.1) in 96 ms

com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
com.            86400   IN  DS  30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.            86400   IN  RRSIG   DS 8 1 86400 20210508050000 20210425040000 14631 . e6RPEnTOftwvUJRAoWl+M9MUnuPcjH/CT22pTiVkKPiA4j5NBqMvL+G7 Q3TA04bXcvOruMRLCTSZ6wm9o0bdpJVT8JAK7pOHqZDlwbTAyL+BhWhK 76FHauQ0gQYbGwEKl6C/k4mA3TNE8bZZt1utYWoa62cCx/jn72nzxLG7 zAehrItZg3Jk9vX7Ds5W6vfLOkxmNjrVGyQBQVK8D5CQdicspu+z6gGR Rz3p8Kez5J4QYsmDwb1HyT5dxsvFH4G8I1ptMHt6c+UH84XbdAFWDVEa PpEPm5zbDz8hhDl34nmJAt7loGuJ5fWE4HDmFudXD3n2+8a/RosFyZvH M63uTQ==
;; Received 1170 bytes from 199.7.83.42#53(l.root-servers.net) in 43 ms

com.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619363571 1800 900 604800 86400
com.            900 IN  RRSIG   SOA 8 1 900 20210502151251 20210425140251 54714 com. nQPgPFyQO4PgrERge1QkjjplpXpAyPJdE8y5jV1VXXi41cZpQfkzcDTb 6xSsybGovaexSzfV8m9aEeL7baojsrYWqFVfocaL8pMe2Ezjp+OjaQiP fA93ZvnJ3kkjE+abtHhOThZneXYsxHLUgTC8JG11/H4I3w6D6Gj0pRd8 p6DHtUs9Fd4k+5xfpuiRFxxtQM8Q4TZvc/hjidFVtC3SwQ==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210430042342 20210423031342 54714 com. poBoT+3Fv6vILgKS4kwHwRFFaBMpT1dqP0FhmDhYFMN8bE/F+fkBHHUQ zfGrx/FswlhMG+6tS6DXsB09X1P/CKlE4cvRvgkv5tM66HeQ7GtcvMLQ M7PpwtWv8jBZ2OPMxFrORXLFpYvFI7I9YGS36WL6JsKm7d54i/gdP5ny +EWX1oj4Nfrho4lOT6zQmCCYm9c4vM4T3O3OKKF0/Bcf9w==
1HCL83RC3R55GBBV9M3IA223NK6FOIUG.com. 86400 IN NSEC3 1 1 0 - 1HCLGQG6AEFSU0MRECIMQGFMFS45LSML  NS DS RRSIG
1HCL83RC3R55GBBV9M3IA223NK6FOIUG.com. 86400 IN RRSIG NSEC3 8 2 86400 20210429042839 20210422031839 54714 com. thxq1AK7k2voLzaaz97SX2dnmDurTFjk6zIDgf6oGpKGvTVIQrPbm88y /vMnJQOjoUpoV3rTzCQoiYCJ+wN3xwOHyXkdpVr2CNS4xSPUzcfnKzmx cqeE/x/gIwy18VB4abQ0Rs7EQQZIakoWvVwK2m63yqZ2zc2uH+qDzxZQ ul5P7DqPzy1vrh2Als3RccLj+zAZQOt21jAhS1D4ARBXAw==
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400 IN NSEC3 1 1 0 - 3RL2U7B4F3S5BAQOQ0GAV1UULJB098HP  NS DS RRSIG
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400 IN RRSIG NSEC3 8 2 86400 20210429043013 20210422032013 54714 com. CY/QVw+zdsll1gAk8WWMPb1xTkz0iDehfJmoN7ZriaFuBpZetuInVEP7 qdCZodmE/9VUuHUyWD3/iBRDvMIIzF4bckpu6fWYI8caNMRucS6gMAkV C0Om54P/5gjJpxGAu6ilRjKrDunO4z9s7bfHdxmICmZLg89SER5Nw15m 1rVZG+BBrl6eBXJVLO/oMkPHwKjtJvgentLi7V0iCZAGYQ==
;; Received 1130 bytes from 192.42.93.30#53(g.gtld-servers.net) in 228 ms

挖mydomain.comNS

; <<>> DiG 9.10.6 <<>> mydomain.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34077
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  NS

;; AUTHORITY SECTION:
com.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619365916 1800 900 604800 86400

;; Query time: 423 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Apr 25 21:22:21 IST 2021
;; MSG SIZE  rcvd: 112

挖掘@8.8.8.8 mydomain.com ns

; <<>> DiG 9.10.6 <<>> @8.8.8.8 mydomain.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60289
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mydomain.com.          IN  NS

;; AUTHORITY SECTION:
com.            899 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619370481 1800 900 604800 86400

;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 25 22:38:22 IST 2021
;; MSG SIZE  rcvd: 112

挖@ns-1563.awsdns-03.co.uk mydomain.com

; <<>> DiG 9.10.6 <<>> @ns-1563.awsdns-03.co.uk mydomain.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29591
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  A

;; AUTHORITY SECTION:
mydomain.com.       900 IN  SOA ns-1563.awsdns-03.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 8 msec
;; SERVER: 205.251.198.27#53(205.251.198.27)
;; WHEN: Sun Apr 25 22:40:28 IST 2021
;; MSG SIZE  rcvd: 123

挖@ns-547.awsdns-04.net mydomain.com

; <<>> DiG 9.10.6 <<>> @ns-547.awsdns-04.net mydomain.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5437
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  A

;; AUTHORITY SECTION:
mydomain.com.       900 IN  SOA ns-1563.awsdns-03.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 46 msec
;; SERVER: 205.251.194.35#53(205.251.194.35)
;; WHEN: Sun Apr 25 22:42:22 IST 2021
;; MSG SIZE  rcvd: 123

当您 register the new domain 时,Route 53 将自动创建一个具有正确 NS 记录的托管区域。您应该能够在控制台中打开托管区域并看到 4 条指向 AWS DNS 服务器的 NS 记录。例如,

ns-1502.awsdns-59.org.
ns-1757.awsdns-27.co.uk.
ns-319.awsdns-39.com.
ns-621.awsdns-13.net.

您可以尝试使用 dig 命令根据名称服务器查找您新注册的域。例如:

$ dig @ns-1502.awsdns-59.org mydomain.com
...
;; ANSWER SECTION:
mydomain.com.       21599   IN  NS  ns-1502.awsdns-59.org.
mydomain.com.       21599   IN  NS  ns-1757.awsdns-27.co.uk.
mydomain.com.       21599   IN  NS  ns-319.awsdns-39.com.
mydomain.com.       21599   IN  NS  ns-621.awsdns-13.net.

这将确认 AWS DNS 正在正确解析您的域。您还可以检查另一个非 AWS DNS 服务器。例如,您可以检查位于 8.8.8.8:

的任何 public DNS server, such as Google's public DNS 服务器
$ dig @8.8.8.8 mydomain.com ns
...
;; ANSWER SECTION:
mydomain.com.       21599   IN  NS  ns-1502.awsdns-59.org.
mydomain.com.       21599   IN  NS  ns-1757.awsdns-27.co.uk.
mydomain.com.       21599   IN  NS  ns-319.awsdns-39.com.
mydomain.com.       21599   IN  NS  ns-621.awsdns-13.net.
...

您还应该在输出中看到 status: NOERROR。如果您看到的是 status: NXDOMAIN,则表示您注册域时 the domain really does not exist. In that case, you should review the AWS documentation on registering domain names, and in particular the troubleshooting docs. Make sure that you have clicked the confirmation link that was sent to your email

如果您的域名注册正确,您应该可以使用 DNS 验证。一旦您请求了带有 DNS 验证的证书并将 CNAME 添加到域中,您就可以检查它是否存在:

$ dig <your validation record>.mydomain.com
;; ANSWER SECTION:
<your validation record>.mydomain.com. 299 IN CNAME <some random value>.<some random value>.acm-validations.aws.

如果您可以使用任何 public 名称服务器解决此问题,那么验证记录设置正确,您只需等待。当它工作时,它通常很快,但最多可能需要 30 分钟。

话虽如此,我偶尔会看到验证从未完成,ACM 证书将无限期地保持在 pending 状态。在这种情况下,解决它的唯一方法是删除证书,申请一个新证书,然后重试。请注意,如果您再次尝试,他们将要求您创建的 Route 53 验证 CNAME 记录将始终相同。