3

使用 AWS Certificate Manager 配置 *.mydomain.com 并在 Pending Validation 中显示超过一天,即使 CNAME 记录已发布到域名下的 AWS Route53。一切似乎都合适,但不清楚,为什么域没有得到验证

注意:域也是使用 AWS Route53 创建的

挖 mydomain.com

; <<>> DiG 9.10.6 <<>> mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  A

;; AUTHORITY SECTION:
com.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619360121 1800 900 604800 86400

;; Query time: 457 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Apr 25 19:45:39 IST 2021
;; MSG SIZE  rcvd: 112

挖 mydomain.com 任何

; <<>> DiG 9.10.6 <<>> mydomain.com ANY
;; global options: +cmd
;; connection timed out; no servers could be reached

挖掘 mydomain.com +trace

dig mydomain.com +trace

; <<>> DiG 9.10.6 <<>> mydomain.com +trace
;; global options: +cmd
.           359116  IN  NS  e.root-servers.net.
.           359116  IN  NS  k.root-servers.net.
.           359116  IN  NS  d.root-servers.net.
.           359116  IN  NS  f.root-servers.net.
.           359116  IN  NS  a.root-servers.net.
.           359116  IN  NS  g.root-servers.net.
.           359116  IN  NS  c.root-servers.net.
.           359116  IN  NS  b.root-servers.net.
.           359116  IN  NS  i.root-servers.net.
.           359116  IN  NS  h.root-servers.net.
.           359116  IN  NS  l.root-servers.net.
.           359116  IN  NS  m.root-servers.net.
.           359116  IN  NS  j.root-servers.net.
.           359116  IN  RRSIG   NS 8 0 518400 20210508050000 20210425040000 14631 . VRowJ98FAdfO9wGKjJRrm1llMgqsIy2i9NQ9teQyO4J71s5S2NdD/GG7 x4ssMnkmZ1BSVE8jWQjP2uPuzYxK++ILDLM5pjCdbpbcJlOQSqWgAF0a zCjHmGuh14r29m0C8jm+mqRZ83ioEtcYgzmiEMLzREx7OCYZM14XnP2o l5aSe1Cx495WGCGvy8E1ugUn5ZAUygdduDVGHBeNWApfAAKqmTttnO0m YBCzVTgvzPJecHcdiuTZrpDTtfzgCb9tMAd5+QUdfPMTsb4cKisAvd8a m7lGdrgV1dQiwzwL2urSJpToA3N2pVpuPuFtcpt5O8vvUjEcOihgOfaT VudmBg==
;; Received 1097 bytes from 192.168.1.1#53(192.168.1.1) in 96 ms

com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
com.            86400   IN  DS  30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.            86400   IN  RRSIG   DS 8 1 86400 20210508050000 20210425040000 14631 . e6RPEnTOftwvUJRAoWl+M9MUnuPcjH/CT22pTiVkKPiA4j5NBqMvL+G7 Q3TA04bXcvOruMRLCTSZ6wm9o0bdpJVT8JAK7pOHqZDlwbTAyL+BhWhK 76FHauQ0gQYbGwEKl6C/k4mA3TNE8bZZt1utYWoa62cCx/jn72nzxLG7 zAehrItZg3Jk9vX7Ds5W6vfLOkxmNjrVGyQBQVK8D5CQdicspu+z6gGR Rz3p8Kez5J4QYsmDwb1HyT5dxsvFH4G8I1ptMHt6c+UH84XbdAFWDVEa PpEPm5zbDz8hhDl34nmJAt7loGuJ5fWE4HDmFudXD3n2+8a/RosFyZvH M63uTQ==
;; Received 1170 bytes from 199.7.83.42#53(l.root-servers.net) in 43 ms

com.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619363571 1800 900 604800 86400
com.            900 IN  RRSIG   SOA 8 1 900 20210502151251 20210425140251 54714 com. nQPgPFyQO4PgrERge1QkjjplpXpAyPJdE8y5jV1VXXi41cZpQfkzcDTb 6xSsybGovaexSzfV8m9aEeL7baojsrYWqFVfocaL8pMe2Ezjp+OjaQiP fA93ZvnJ3kkjE+abtHhOThZneXYsxHLUgTC8JG11/H4I3w6D6Gj0pRd8 p6DHtUs9Fd4k+5xfpuiRFxxtQM8Q4TZvc/hjidFVtC3SwQ==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210430042342 20210423031342 54714 com. poBoT+3Fv6vILgKS4kwHwRFFaBMpT1dqP0FhmDhYFMN8bE/F+fkBHHUQ zfGrx/FswlhMG+6tS6DXsB09X1P/CKlE4cvRvgkv5tM66HeQ7GtcvMLQ M7PpwtWv8jBZ2OPMxFrORXLFpYvFI7I9YGS36WL6JsKm7d54i/gdP5ny +EWX1oj4Nfrho4lOT6zQmCCYm9c4vM4T3O3OKKF0/Bcf9w==
1HCL83RC3R55GBBV9M3IA223NK6FOIUG.com. 86400 IN NSEC3 1 1 0 - 1HCLGQG6AEFSU0MRECIMQGFMFS45LSML  NS DS RRSIG
1HCL83RC3R55GBBV9M3IA223NK6FOIUG.com. 86400 IN RRSIG NSEC3 8 2 86400 20210429042839 20210422031839 54714 com. thxq1AK7k2voLzaaz97SX2dnmDurTFjk6zIDgf6oGpKGvTVIQrPbm88y /vMnJQOjoUpoV3rTzCQoiYCJ+wN3xwOHyXkdpVr2CNS4xSPUzcfnKzmx cqeE/x/gIwy18VB4abQ0Rs7EQQZIakoWvVwK2m63yqZ2zc2uH+qDzxZQ ul5P7DqPzy1vrh2Als3RccLj+zAZQOt21jAhS1D4ARBXAw==
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400 IN NSEC3 1 1 0 - 3RL2U7B4F3S5BAQOQ0GAV1UULJB098HP  NS DS RRSIG
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400 IN RRSIG NSEC3 8 2 86400 20210429043013 20210422032013 54714 com. CY/QVw+zdsll1gAk8WWMPb1xTkz0iDehfJmoN7ZriaFuBpZetuInVEP7 qdCZodmE/9VUuHUyWD3/iBRDvMIIzF4bckpu6fWYI8caNMRucS6gMAkV C0Om54P/5gjJpxGAu6ilRjKrDunO4z9s7bfHdxmICmZLg89SER5Nw15m 1rVZG+BBrl6eBXJVLO/oMkPHwKjtJvgentLi7V0iCZAGYQ==
;; Received 1130 bytes from 192.42.93.30#53(g.gtld-servers.net) in 228 ms

挖 mydomain.com NS

; <<>> DiG 9.10.6 <<>> mydomain.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34077
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  NS

;; AUTHORITY SECTION:
com.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619365916 1800 900 604800 86400

;; Query time: 423 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Apr 25 21:22:21 IST 2021
;; MSG SIZE  rcvd: 112

挖掘@8.8.8.8 mydomain.com ns

; <<>> DiG 9.10.6 <<>> @8.8.8.8 mydomain.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60289
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mydomain.com.          IN  NS

;; AUTHORITY SECTION:
com.            899 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619370481 1800 900 604800 86400

;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 25 22:38:22 IST 2021
;; MSG SIZE  rcvd: 112

挖掘@ns-1563.awsdns-03.co.uk mydomain.com

; <<>> DiG 9.10.6 <<>> @ns-1563.awsdns-03.co.uk mydomain.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29591
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  A

;; AUTHORITY SECTION:
mydomain.com.       900 IN  SOA ns-1563.awsdns-03.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 8 msec
;; SERVER: 205.251.198.27#53(205.251.198.27)
;; WHEN: Sun Apr 25 22:40:28 IST 2021
;; MSG SIZE  rcvd: 123

挖掘@ns-547.awsdns-04.net mydomain.com

; <<>> DiG 9.10.6 <<>> @ns-547.awsdns-04.net mydomain.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5437
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com.          IN  A

;; AUTHORITY SECTION:
mydomain.com.       900 IN  SOA ns-1563.awsdns-03.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 46 msec
;; SERVER: 205.251.194.35#53(205.251.194.35)
;; WHEN: Sun Apr 25 22:42:22 IST 2021
;; MSG SIZE  rcvd: 123
4

1 回答 1

2

当您注册新域时,Route 53 将自动使用正确的 NS 记录创建托管区域。您应该能够在控制台中打开托管区域并看到 4 条指向 AWS DNS 服务器的 NS 记录。例如,

ns-1502.awsdns-59.org.
ns-1757.awsdns-27.co.uk.
ns-319.awsdns-39.com.
ns-621.awsdns-13.net.

dig您可以尝试使用该命令针对名称服务器查找新注册的域。例如:

$ dig @ns-1502.awsdns-59.org mydomain.com
...
;; ANSWER SECTION:
mydomain.com.       21599   IN  NS  ns-1502.awsdns-59.org.
mydomain.com.       21599   IN  NS  ns-1757.awsdns-27.co.uk.
mydomain.com.       21599   IN  NS  ns-319.awsdns-39.com.
mydomain.com.       21599   IN  NS  ns-621.awsdns-13.net.

这将确认 AWS DNS 正在正确解析您的域。您还可以检查另一个非 AWS DNS 服务器。例如,您可以检查任何公共 DNS 服务器,例如Google 的公共 DNS服务器8.8.8.8

$ dig @8.8.8.8 mydomain.com ns
...
;; ANSWER SECTION:
mydomain.com.       21599   IN  NS  ns-1502.awsdns-59.org.
mydomain.com.       21599   IN  NS  ns-1757.awsdns-27.co.uk.
mydomain.com.       21599   IN  NS  ns-319.awsdns-39.com.
mydomain.com.       21599   IN  NS  ns-621.awsdns-13.net.
...

您还应该status: NOERROR在输出中看到。如果你看到status: NXDOMAIN,这意味着该域确实不存在。在这种情况下,您应该查看有关注册域名的 AWS 文档,尤其是故障排除文档。确保您已单击注册域时发送到您的电子邮件的确认链接。

如果您的域注册正确,您应该能够使用 DNS 验证。一旦您通过 DNS 验证请求证书并将 CNAME 添加到域中,您可以检查它是否存在:

$ dig <your validation record>.mydomain.com
;; ANSWER SECTION:
<your validation record>.mydomain.com. 299 IN CNAME <some random value>.<some random value>.acm-validations.aws.

如果您可以使用任何公共名称服务器解决此问题,则验证记录设置正确,您只需等待。当它工作时,它通常很快,但最多可能需要 30 分钟。

话虽如此,我偶尔会看到验证永远不会完成,并且 ACM 证书将无限期地保持在挂起状态。在这种情况下,解决它的唯一方法是删除证书,申请新证书,然后重试。请注意,如果您再次尝试,他们将要求您创建的 Route 53 验证 CNAME 记录将始终相同。

于 2021-04-25T15:36:27.077 回答