Delete the CNAME DNS record used for certificate validation in hosted zone about scar HOT 5 OPEN

How should I resolve it?

from scar.

Hi @yanlinaung30 - the manual workaround for this issue is to manually delete the CNAME record first before deleting the CloudFormation stack.

You can do this by using the AWS Route 53 console to open the hosted zone that was created as part of your stack, selecting the CNAME record set, then "Delete Record Set". After that, you should be able to fully delete the CloudFormation stack as it will then be able to delete the hosted zone.

Let me know if that works.

from scar.

@cloudkj
Thanks for your reply!
I delete CNAME manually as soon as the certificate is issued successfully.

But I encountered another issue.
I upload json template file to my s3 bucket of my region & Create the CloudFormation stack in my region

CloudFrontRootDistribution

The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 67acde6a-8687-11e9-b0a2-4f83c31ceffd)

CloudFrontWWWDistribution

The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 67944d42-8687-11e9-aadb-fd94b97f8503)

from scar.

Hi @yanlinaung30 - it looks like ACM has a restriction that requires certificates to be created in the us-east-1 region in order to be used with CloudFront: https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

Unfortunately, for now you'll have to create the stack in us-east-1. Note that there should be no degradation in performance for visitors since the CloudFront distribution will be global. However, I can see that there can be a performance/cost issue in dealing with uploading or syncing assets if us-east-1 is not your home region.

I'll open a separate issue to track this problem. At the very least, the docs should be updated to reflect this limitation. It's possible that CloudFormation Stack Sets can offer a path forward by requesting only the ACM certificate in us-east-1 but other resources in the chosen region, but some work is needed to see if that's possible.

from scar.

@cloudkj
Oh, this must be the reason!
Thanks a lot for your reply and explanation.
I will create the CloudFormation in North Virginia for now.
Thank you!

from scar.