Custom dns creation error: Unexpected key 'securityPolicy' found in params

[Dathin]

Can't execute custom dns creation, it seems like it doesn't recognize the certificate. But i dont know

sls create_domain

Serverless: Invoke create_domain
Serverless: [AWS apigateway 404 0.847s 0 retries] getDomainName({ domainName: 'aaasada.xxxxxxxxx.com' })
Serverless Domain Manager: NotFoundException: Invalid domain name identifier specified
Serverless: [AWS acm 200 1.186s 0 retries] listCertificates({ CertificateStatuses: [ 'PENDING_VALIDATION', 'ISSUED', 'INACTIVE', [length]: 3 ] })
Serverless: [AWS apigateway undefined 0.022s 0 retries] createDomainName({ certificateArn: undefined,
  domainName: 'aaasada.xxxxxxxxx.com',
  endpointConfiguration: { types: [ 'REGIONAL', [length]: 1 ] },
  regionalCertificateArn: 'arn:aws:acm:us-east-1:580479692653:certificate/d1774f8e-dab5-42ff-b16f-41c0e3de1c7a',
  securityPolicy: 'TLS_1_2' })
Serverless Domain Manager: UnexpectedParameter: Unexpected key 'securityPolicy' found in params
 
  Error --------------------------------------------------
 
  Error: Failed to create custom domain aaasada.xxxxxxxxxxxxx.com

 
     For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.
 
  Stack Trace --------------------------------------------
 
Error: Error: Failed to create custom domain aaasada.xxxxxxxxxxxxx.com

    at ServerlessCustomDomain.<anonymous> (/home/dathin/code/python/ambiente+pool/ambiente/node_modules/serverless-domain-manager/dist/index.js:332:23)
    at Generator.throw (<anonymous>)
    at rejected (/home/dathin/code/python/ambiente+pool/ambiente/node_modules/serverless-domain-manager/dist/index.js:5:65)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:229:7)
From previous event:
    at PluginManager.invoke (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:446:22)
    at PluginManager.run (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:477:17)
    at variables.populateService.then (/usr/lib/node_modules/serverless/lib/Serverless.js:110:33)
    at runCallback (timers.js:810:20)
    at tryOnImmediate (timers.js:768:5)
    at processImmediate [as _immediateCallback] (timers.js:745:5)
From previous event:
    at Serverless.run (/usr/lib/node_modules/serverless/lib/Serverless.js:97:6)
    at serverless.init.then (/usr/lib/node_modules/serverless/bin/serverless:43:28)
    at /usr/lib/node_modules/serverless/node_modules/graceful-fs/graceful-fs.js:111:16
    at /usr/lib/node_modules/serverless/node_modules/graceful-fs/graceful-fs.js:45:10
    at FSReqWrap.oncomplete (fs.js:135:15)
From previous event:
    at initializeErrorReporter.then (/usr/lib/node_modules/serverless/bin/serverless:43:6)
    at runCallback (timers.js:810:20)
    at tryOnImmediate (timers.js:768:5)
    at processImmediate [as _immediateCallback] (timers.js:745:5)
From previous event:
    at /usr/lib/node_modules/serverless/bin/serverless:28:46
    at Object.<anonymous> (/usr/lib/node_modules/serverless/bin/serverless:65:4)
    at Module._compile (module.js:653:30)
    at Object.Module._extensions..js (module.js:664:10)
    at Module.load (module.js:566:32)
    at tryModuleLoad (module.js:506:12)
    at Function.Module._load (module.js:498:3)
    at Function.Module.runMain (module.js:694:10)
    at startup (bootstrap_node.js:204:16)
    at bootstrap_node.js:625:3
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com
 
  Your Environment Information ---------------------------
     OS:                     linux
     Node Version:           8.16.0
     Serverless Version:     1.44.1

service: test-1234

provider:
  name: aws
  runtime: python3.6
  stage: dev
  region: us-east-1

functions:
  hello:
    handler: handler.hello
    events:
      - http:
          path: hello
          method: get
  goodbye:
    handler: handler.goodbye
    events:
      - http:
          path: goodbye
          method: get

plugins:
  - serverless-domain-manager

custom:
  customDomain:
    domainName: aaasada.xxxxxxxxx.com
    stage: ci
    basePath: api
    certificateName: '*.xxxxxxxxx.com'
    createRoute53Record: true
    endpointType: 'regional'
    securityPolicy: tls_1_2

Versions

• Domain Manager version(s): "^3.3.0"
• Node/npm version: 8.16.0
• Serverless Version: 1.44.1
• Lambda Code python3.6

already tried to remove securityPolice

[shierro]

@Dathin any new info here? my set-up was working with version 2.6.13 and after upgrading to 3.3.0, it doesn't work with the same error

[shierro]

rolling back to version 3.2.7 did the job for me. there's something to fix in between

[Dathin]

Unfortunately there are no news, I'm waiting amplify team. I guess you could just use version 2.6.13 if it works for you. Just edit you package

  "devDependencies": {
    "serverless-domain-manager": "2.6.13"
  }

[Dathin]

rolling back to version 3.2.7 did the job for me. there's something to fix in between

I'll try

[captainsidd]

Hey guys - this is related to #240 that was merged yesterday. I'm not sure why you're experiencing issues as securityPolicy is a valid parameter according to the AWS docs. Does using TLS 1.0 fix the issue?

[Dathin]

I'm not sure if that's the problem, the message doesn't make sense. In create domain it set securityPolicy, but certificateArn is undefined

Serverless: [AWS acm 200 1.186s 0 retries] listCertificates({ CertificateStatuses: [ 'PENDING_VALIDATION', 'ISSUED', 'INACTIVE', [length]: 3 ] })
Serverless: [AWS apigateway undefined 0.022s 0 retries] createDomainName({ certificateArn: undefined,
  domainName: 'aaasada.xxxxxxxxx.com',
  endpointConfiguration: { types: [ 'REGIONAL', [length]: 1 ] },
  regionalCertificateArn: 'arn:aws:acm:us-east-1:580479692653:certificate/d1774f8e-dab5-42ff-b16f-41c0e3de1c7a',
  securityPolicy: 'TLS_1_2' })

[Dathin]

It works on version 2.6.13 the success logs are:

Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command create
Serverless: Load command install
Serverless: Load command package
Serverless: Load command deploy
Serverless: Load command deploy:function
Serverless: Load command deploy:list
Serverless: Load command deploy:list:functions
Serverless: Load command invoke
Serverless: Load command invoke:local
Serverless: Load command info
Serverless: Load command logs
Serverless: Load command metrics
Serverless: Load command print
Serverless: Load command remove
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command slstats
Serverless: Load command plugin
Serverless: Load command plugin
Serverless: Load command plugin:install
Serverless: Load command plugin
Serverless: Load command plugin:uninstall
Serverless: Load command plugin
Serverless: Load command plugin:list
Serverless: Load command plugin
Serverless: Load command plugin:search
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command create_domain
Serverless: Load command delete_domain
Serverless Enterprise: Warning: The Enterprise Plugin requires a "tenant", "app" property in your "serverless.yml" and will not work without it.
Serverless: [AWS ssm 200 0.96s 0 retries] getParameter({ Name: 'pedro-teste-dev', WithDecryption: false })
Serverless: Invoke create_domain
Serverless: [AWS acm 200 0.855s 0 retries] listCertificates({ CertificateStatuses: [ 'PENDING_VALIDATION', 'ISSUED', 'INACTIVE', [length]: 3 ] })
Serverless: [AWS apigateway 404 0.943s 0 retries] getDomainName({ domainName: 'aaasada.xxxxxxxxx.com' })
Serverless: [AWS apigateway 201 11.468s 0 retries] createDomainName({ domainName: 'aaasada.xxxxxxxxx.com',
  endpointConfiguration: { types: [ 'REGIONAL', [length]: 1 ] },
  regionalCertificateArn: 'arn:aws:acm:us-east-1:580479692653:certificate/d1774f8e-dab5-42ff-b16f-41c0e3de1c7a' })
Serverless: [AWS route53 200 1.08s 0 retries] listHostedZones({})
Serverless: [AWS route53 400 1.167s 0 retries] changeResourceRecordSets({ ChangeBatch: 
   { Changes: 
      [ { Action: 'DELETE',
          ResourceRecordSet: 
           { Name: 'aaasada.xxxxxxxxx.com',
             ResourceRecords: 
              [ { Value: 'd-tnzylrnhka.execute-api.us-east-1.amazonaws.com' },
                [length]: 1 ],
             TTL: 60,
             Type: 'CNAME' } },
        { Action: 'CREATE',
          ResourceRecordSet: 
           { Name: 'aaasada.xxxxxxxxx.com',
             Type: 'A',
             AliasTarget: 
              { DNSName: 'd-tnzylrnhka.execute-api.us-east-1.amazonaws.com',
                EvaluateTargetHealth: false,
                HostedZoneId: 'Z1UJRXOUMOOFQ8' } } },
        [length]: 2 ],
     Comment: 'Record created by serverless-domain-manager' },
  HostedZoneId: 'Z1AHE6AGA2A1D1' })
Serverless: [AWS route53 200 0.818s 0 retries] listHostedZones({})
Serverless: [AWS route53 200 0.822s 0 retries] changeResourceRecordSets({ ChangeBatch: 
   { Changes: 
      [ { Action: 'UPSERT',
          ResourceRecordSet: 
           { Name: 'aaasada.xxxxxxxxx.com',
             Type: 'A',
             AliasTarget: 
              { DNSName: 'd-tnzylrnhka.execute-api.us-east-1.amazonaws.com',
                EvaluateTargetHealth: false,
                HostedZoneId: 'Z1UJRXOUMOOFQ8' } } },
        [length]: 1 ],
     Comment: 'Record created by serverless-domain-manager' },
  HostedZoneId: 'Z1AHE6AGA2A1D1' })
Serverless: 'aaasada.xxxxxxxxx.com' was created/updated. New domains may take up to 40 minutes to be initialized.

[unagisan]

Ran into the same issue with 3.3.0, rolling back to 3.2.7 resolved the issue for me.

[Jordan-Eckowitz]

Ran into the same issue with 3.3.0, rolling back to 3.2.7 resolved the issue for me.

Rolling back allowed me to deploy but its setting the TLS to 1.0 instead of 1.2 (I explicitly specified 1.2).

[Jordan-Eckowitz]

Can we get an update on this issue? Neither v3.2.7 or v3.3.0 is working for me.

[maestr0]

It's working for me after I downgraded from 3.3.0 to 3.2.7.
TLS 1.0 👎 but it looks like it can be manually updated to 1.2

sls -v 
1.27.2

"serverless-domain-manager": "3.2.7"

  customDomain:
    domainName: ${self:custom.domains.${self:custom.stage}}
    basePath: '/'
    stage: ${self:provider.stage}
    createRoute53Record: true

Serverless: Load command run
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command create
Serverless: Load command install
Serverless: Load command package
Serverless: Load command deploy
Serverless: Load command deploy:function
Serverless: Load command deploy:list
Serverless: Load command deploy:list:functions
Serverless: Load command invoke
Serverless: Load command invoke:local
Serverless: Load command info
Serverless: Load command logs
Serverless: Load command login
Serverless: Load command logout
Serverless: Load command metrics
Serverless: Load command print
Serverless: Load command remove
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command slstats
Serverless: Load command plugin
Serverless: Load command plugin
Serverless: Load command plugin:install
Serverless: Load command plugin
Serverless: Load command plugin:uninstall
Serverless: Load command plugin
Serverless: Load command plugin:list
Serverless: Load command plugin
Serverless: Load command plugin:search
Serverless: Load command emit
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command webpack
Serverless: Load command offline
Serverless: Load command offline:start
Serverless: Load command create_domain
Serverless: Load command delete_domain
Serverless: Invoke create_domain
Serverless: NotFoundException: Invalid domain name identifier specified
Serverless: Custom domain dev-api.tradersrank.com was created.
            New domains may take up to 40 minutes to be initialized.```

[captainsidd]

I'm not sure if that's the problem, the message doesn't make sense. In create domain it set securityPolicy, but certificateArn is undefined

Serverless: [AWS acm 200 1.186s 0 retries] listCertificates({ CertificateStatuses: [ 'PENDING_VALIDATION', 'ISSUED', 'INACTIVE', [length]: 3 ] })
Serverless: [AWS apigateway undefined 0.022s 0 retries] createDomainName({ certificateArn: undefined,
  domainName: 'aaasada.xxxxxxxxx.com',
  endpointConfiguration: { types: [ 'REGIONAL', [length]: 1 ] },
  regionalCertificateArn: 'arn:aws:acm:us-east-1:580479692653:certificate/d1774f8e-dab5-42ff-b16f-41c0e3de1c7a',
  securityPolicy: 'TLS_1_2' })

Hi @Dathin, certificateArn is expected to be blank, as regionalCertificateArn has a populated value. Current behavior is that only 1 of those parameters needs to be set.

[captainsidd]

Hi everyone - we're not able to reproduce this issue on our end - setting the securityPolicy to either TLS 1.2 or TLS 1.0 works with version 3.3.0. Setting securityPolicy with 3.2.7 isn't going to have much effect, as handling securityPolicy configs was only added in 3.3.0.

Is there anything else in your environments that could cause this to not work? Maybe something about the way your certs are setup?

[Jordan-Eckowitz]

Here are my customDomain config settings. I've added a custom attribute called domain that I use to determine whether to deploy the dev or prod API.

custom:
  domain:
    dev: XXX-dev-api.YYY.com
    prod: XXX-api.YYY.com
  customDomain:
    domainName: '${self:custom.domain.${opt:stage, "dev"}}'
    stage: '${opt:stage, "dev"}'
    basePath: ''
    certificateName: '*.YYY.com'
    createRoute53Record: true
    endpointType: edge
    securityPolicy: tls_1_2

[maestr0]

@Jordan-Eckowitz

not related to the issue, but the base path needs to be /
the mapping wasn't working for me when I left it as an empty string

serverless 1.27.2
serverless-domain-manager 3.2.7

 basePath: '/'

[reverent911]

I also had to downgrade to 3.2.7 to make it work , my endpoint type was regional , region eu-west-1

[yashutanna]

Hey guys - Im still pretty stuck on this. Ive configured a cert in us-east-1 as the default EDGE type is the only way i got to this point.

the lambda function itself will be deployed to eu-west-1. not sure if that would be an issue - but i would imagine not since the cert is purely for the cloudfront distribution.

any updates or workarounds will be highly appreciated.

note: above solutions of downgrading to 3.2.7 did not help unfortunately

[yashutanna]

so it seems i had a globally installed version of sls (1.36.3) that was being used when i ran the sls create_domain command.

when using npx sls create_domain I was able to move forward. im going to update my globally installed version and see if i can prove this

[arqex]

I think this issue is related to the serverless version installed in my computer, not with the serverless-domain-manager plugin.

npm update -g serverless fixed the issue for me.

[Dathin]

It's working on the latest version of serverless... I'm closing this issue....