avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2601

Abstract

.png"><figcaption></figcaption></figure><p id="5350"><i>If you get this report it to AWS because it is a bug. You should get back the content for your CNAME.</i></p><p id="2a42"><i>It appears that I may need to completely delete and redeploy the certificate, but I’m going to let it back over night and open it works in the a.m.</i></p><p id="2524">~~~</p><p id="25bc">So thinking about this a bit more, I wonder if the CNAME stays consistent if you redeploy the certificate. Meaning that if you update the certificate you can use the same CNAME over and over again. Hmm.</p><p id="194b">But when I tried to redeploy the DNS records, the TLS stack update doesn’t have the required CNAME. So perhaps I can dig back further and get the old CNAME from the stack events — but only if the stack is less than 90 days old. After that the stack events will be deleted, which is a problem if a cert gets deleted and I’m using this method.</p><p id="7529">I would say that rather than reporting DNS record is null, that AWS should continue to report the CNAME and value when a cert is updated. For now, I’m going to dig back into prior events to try to find the CNAME.</p><p id="6324">— -the fix — -</p><p id="86b4">So first of all I had to get my CNAME stack out of a rollback state by deleting it.</p><div id="57e0"><pre><span class="hljs-string">aws</span> <span class="hljs-string">cloudformation</span> <span class="hljs-built_in">delete-stack</span> <span class="hljs-built_in">--stack</span> [<span class="hljs-string">stackname</span>]</pre></div><p id="b933">Then I had to remove the max-items I was searching for because now the CNAME value may be way, way back in my CloudFormation events depending on how many times I redeployed the TLS Certificate.</p><p id="3059">Next, I needed to search group for a different value. So I grep for “value” which is in the ResourceStatusReason with the CNAME string.</p><p id="3bd1">I successfully get the CNAME name and value out of the TLS stack now. Yay.</p><p id="9315">However, my deployment still fails.</p><blockquote id="9029"><p>[Tried to create resource record set [name=’_0d416a0c2c8b704e3e6866edc148b016.dev.rainierrhododendrons.com.’, type=’CNAME’] but it already exists]</p></blockquote><p id="4dc4">So apparently deleting the CloudFormation stack does not delete the CNAME which is kind of annoying. But I realize that deleting DNS records can really mess things up. The question is, in that case, isn’t the CNAME record accurate?</p><p id="0286">Yes, it is. So I can go into the DNS records and delete the CNAME or forget CloudFormation and leave i

Options

t. But what if I want to use CloudFormation drift detection? I’m toast.</p><p id="1a17">So in order to resolve this now I have to go delete the CNAME in the DNS records and redeploy the CloudFormation stack. So I had to write anoter function for that:</p><figure id="8981"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*lVBfzS0TAUoWbgQysyme-g.png"><figcaption></figcaption></figure><p id="21d3">Except that ^ didn’t work so I have a whole other post on getting that to a working state.</p><p id="de05">Maybe the CloudFormation team is afraid of deleting the DNS records but that’s kind of the point of the delete function of CloudFormation. And customers need to take action to protect stacks as appropriate.</p><p id="1ce3">I am marking that delete functionality a bug as well as the fact that you don’t get the CNAME values again on an update and have to search back through event history — which is potentially deleted if the stack is over 90 days old.</p><p id="b2b2">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="608c"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="7286"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4oxP4LXk8l8c3mpRvO7ejg.png"><figcaption></figcaption></figure></article></body>

Bug Re-deploying AWS TLS Certificate

Can’t redeploy a TLS certificate on AWS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I wrote this post to automate validation of an AWS Certificate.

Later, I was running the script again and inadvertently ran the AWS CloudFormation template again and ended up in the waiting state I wrote about.

No problem, I’ll just run my validation script again.

Only it did not work. I added this note to the post as I don’t know if this is because I’m redeploying the cert again or this is an AWS Bug.

~~~

NOTE: I tried to run this script again for the same certificate and there appears to be a bug in the AWS output. Instead of getting the expected CNAME information I get this:

If you get this report it to AWS because it is a bug. You should get back the content for your CNAME.

It appears that I may need to completely delete and redeploy the certificate, but I’m going to let it back over night and open it works in the a.m.

~~~

So thinking about this a bit more, I wonder if the CNAME stays consistent if you redeploy the certificate. Meaning that if you update the certificate you can use the same CNAME over and over again. Hmm.

But when I tried to redeploy the DNS records, the TLS stack update doesn’t have the required CNAME. So perhaps I can dig back further and get the old CNAME from the stack events — but only if the stack is less than 90 days old. After that the stack events will be deleted, which is a problem if a cert gets deleted and I’m using this method.

I would say that rather than reporting DNS record is null, that AWS should continue to report the CNAME and value when a cert is updated. For now, I’m going to dig back into prior events to try to find the CNAME.

— -the fix — -

So first of all I had to get my CNAME stack out of a rollback state by deleting it.

aws cloudformation delete-stack --stack [stackname]

Then I had to remove the max-items I was searching for because now the CNAME value may be way, way back in my CloudFormation events depending on how many times I redeployed the TLS Certificate.

Next, I needed to search group for a different value. So I grep for “value” which is in the ResourceStatusReason with the CNAME string.

I successfully get the CNAME name and value out of the TLS stack now. Yay.

However, my deployment still fails.

[Tried to create resource record set [name=’_0d416a0c2c8b704e3e6866edc148b016.dev.rainierrhododendrons.com.’, type=’CNAME’] but it already exists]

So apparently deleting the CloudFormation stack does not delete the CNAME which is kind of annoying. But I realize that deleting DNS records can really mess things up. The question is, in that case, isn’t the CNAME record accurate?

Yes, it is. So I can go into the DNS records and delete the CNAME or forget CloudFormation and leave it. But what if I want to use CloudFormation drift detection? I’m toast.

So in order to resolve this now I have to go delete the CNAME in the DNS records and redeploy the CloudFormation stack. So I had to write anoter function for that:

Except that ^ didn’t work so I have a whole other post on getting that to a working state.

Maybe the CloudFormation team is afraid of deleting the DNS records but that’s kind of the point of the delete function of CloudFormation. And customers need to take action to protect stacks as appropriate.

I am marking that delete functionality a bug as well as the fact that you don’t get the CNAME values again on an update and have to search back through event history — which is potentially deleted if the stack is over 90 days old.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Bug
Tls
Acm
AWS
Certificate Manager
Recommended from ReadMedium