certificatemanager: Conditions in `domainName` are being rejected because their string representation is > 64 characters

[Mahoney]

Describe the bug

When depending on software.amazon.awscdk:aws-cdk-lib:2.233.0 & software.amazon.awscdk:cdk-asset-awscli-v1:2.2.242 it was possible to pass an ICfnRuleConditionExpression via String concatenation to software.amazon.awscdk.services.certificatemanager.Certificate.Builder.domainName. With software.amazon.awscdk:aws-cdk-lib:2.234.0 & software.amazon.awscdk:cdk-asset-awscli-v1:2.2.258 it fails.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

2.233.0

Expected Behavior

Emits (abridged):

{
  "Parameters": {
    "subdomain": {
      "Type": "String",
      "Description": "The subdomain of the environment (e.g. 'dev', 'qa'). Leave empty/blank for no subdomain (i.e. our live environment)."
    }
  },
  "Conditions": {
    "hasSubdomain": {
      "Fn::Not": [
        { "Fn::Equals": [{ "Ref": "subdomain" }, "" ] }
      ]
    }
  },
  "Resources": {
    "somecertDFD6D962": {
      "Type": "AWS::CertificateManager::Certificate",
      "Properties": {
        "DomainName": {
          "Fn::Join": [ "", [ "*.", { "Fn::If": [ "hasSubdomain", { "Fn::Join": [ "", [ { "Ref": "subdomain" }, "myapp.cloud" ] ] }, "myapp.cloud" ] } ] ]
        },
        "DomainValidationOptions": [
          {
            "DomainName": {
              "Fn::Join": [ "", [ "*.", { "Fn::If": [ "hasSubdomain", { "Fn::Join": [ "", [ { "Ref": "subdomain" }, "myapp.cloud" ] ] }, "myapp.cloud" ] } ] ]
            },
            "HostedZoneId": "zoneid"
          }
        ],
        "ValidationMethod": "DNS"
      }
    }
  }
}

Current Behavior

Fails with this exception:

Exception in thread "main" software.amazon.jsii.JsiiError: Domain name must be 64 characters or less
ValidationError: Domain name must be 64 characters or less
    at path [SimpleStack/somecert] in aws-cdk-lib.aws_certificatemanager.Certificate

    at Kernel._Kernel_create (/private/var/folders/7w/gfcq0bbx36qbtjxcjy3f5xwh0000gn/T/jsii-java-runtime2234619871521687440/lib/program.js:549:25)
    at Kernel.create (/private/var/folders/7w/gfcq0bbx36qbtjxcjy3f5xwh0000gn/T/jsii-java-runtime2234619871521687440/lib/program.js:219:93)
    at KernelHost.processRequest (/private/var/folders/7w/gfcq0bbx36qbtjxcjy3f5xwh0000gn/T/jsii-java-runtime2234619871521687440/lib/program.js:15482:36)
    at KernelHost.run (/private/var/folders/7w/gfcq0bbx36qbtjxcjy3f5xwh0000gn/T/jsii-java-runtime2234619871521687440/lib/program.js:15442:22)
    at Immediate._onImmediate (/private/var/folders/7w/gfcq0bbx36qbtjxcjy3f5xwh0000gn/T/jsii-java-runtime2234619871521687440/lib/program.js:15443:45)
    at process.processImmediate (node:internal/timers:505:21)
	at software.amazon.jsii.JsiiRuntime.processErrorResponse(JsiiRuntime.java:150)
	at software.amazon.jsii.JsiiRuntime.requestResponse(JsiiRuntime.java:116)
	at software.amazon.jsii.JsiiClient.createObject(JsiiClient.java:89)
	at software.amazon.jsii.JsiiEngine.createNewObject(JsiiEngine.java:614)
	at software.amazon.awscdk.services.certificatemanager.Certificate.<init>(Certificate.java:50)
	at software.amazon.awscdk.services.certificatemanager.Certificate$Builder.build(Certificate.java:263)
	at foo.SimpleStack.<init>(CertificateProblem.java:68)
	at foo.CertificateProblem.main(CertificateProblem.java:23)

Reproduction Steps

Create this App & Stack combo and run the main method:

import software.amazon.awscdk.*;
import software.amazon.awscdk.services.certificatemanager.Certificate;
import software.amazon.awscdk.services.route53.IPublicHostedZone;
import software.amazon.awscdk.services.route53.PublicHostedZone;
import software.amazon.awscdk.services.route53.PublicHostedZoneAttributes;
import software.constructs.Construct;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.nio.file.Path;

import static software.amazon.awscdk.Fn.*;
import static software.amazon.awscdk.services.certificatemanager.CertificateValidation.fromDns;

public class CertificateProblem {

    public static void main(String[] args) throws FileNotFoundException {
        App app = new App();

        new SimpleStack(app, "SimpleStack", StackProps.builder().build());

        app.synth();

        File file = Path.of(app.getOutdir(), "SimpleStack.template.json").toFile();
        System.out.println(file.getAbsoluteFile());
        new BufferedReader(new FileReader(file)).lines().forEach(System.out::println);
    }
}

class SimpleStack extends Stack {

    public SimpleStack(final Construct scope, final String id, final StackProps props) {
        super(scope, id, props);

        String myappDomain = "myapp.cloud";

        String subdomain = CfnParameter.Builder.create(this, "subdomain")
                .type("String")
                .description(
                        "The subdomain of the environment (e.g. 'dev', 'qa'). Leave empty/blank for no " +
                                "subdomain (i.e. our live environment)."
                        )
                .build()
                .getValueAsString();

        CfnCondition hasSubdomain = CfnCondition.Builder.create(this, "hasSubdomain")
                .expression(conditionNot(conditionEquals(subdomain, "")))
                .build();

        ICfnRuleConditionExpression qualifiedDomain =
                conditionIf(hasSubdomain.getLogicalId(), subdomain + myappDomain, myappDomain);

        IPublicHostedZone zone = PublicHostedZone.fromPublicHostedZoneAttributes(
                this,
                "myappDomain",
                PublicHostedZoneAttributes.builder()
                        .hostedZoneId("zoneid")
                        .zoneName("myappDomain")
                        .build()
                );

        Certificate.Builder.create(this, "somecert")
                .domainName("*." + qualifiedDomain)
                .validation(fromDns(zone))
                .build();
    }
}

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.234.0

AWS CDK CLI version

2.1100.1 (but really irrelevant)

Node.js Version

24.11.0 (but really irrelevant)

OS

macOs 26.2

Language

Java

Language Version

25

Other information

No response

[Mahoney]

It looks as if the change is that ICfnRuleConditionExpression's toString() used to emit ${Token[TOKEN.12]}, so the string passed to Certificate.Builder.domainName was *.${Token[TOKEN.12]}.

Now ICfnRuleConditionExpression's toString() emits software.amazon.awscdk.ICfnRuleConditionExpression$Jsii$Proxy@c03cf28 which is less useful.

[spider-yamet]

@Mahoney May I pick up this issue?

Regards

[pahud]

Yes this seems a regression. Will post more analysis details shortly. I am trying to reproduce it in Java.

[pahud]

Hi @Mahoney

While I am still reproducing this in Java but my analysis indicates this is a regression caused by PR #35032

This PR introduced a new set of "reference interfaces" (IBucketRef, IInstanceRef, etc.) that allow L1 and L2 resources to interoperate. The change modified how interfaces are exposed through JSII bindings.

The breaking change was then propagated through a series of "reference interfaces" PRs merged between v2.233.0 and v2.234.0:

• PR chore(backup): reference interfaces #36415: chore(backup): reference interfaces - merged 2026-01-06
• PR chore(batch): reference interfaces #36522: chore(batch): reference interfaces - merged 2026-01-07
• And 20+ other similar PRs for various modules

These PRs changed how interfaces are exposed to JSII bindings, which affected the toString() behavior for ICfnRuleConditionExpression in Java.

The issue is that in Java (via JSII), when ICfnRuleConditionExpression is concatenated with a string using +, Java calls the object's toString() method.

In v2.233.0, this correctly returned a token string like ${Token[TOKEN.12]}.

In v2.234.0, it appears the JSII proxy object's toString() is being called instead of the underlying Intrinsic.toString(), returning the Java default object representation.

This is likely a JSII binding issue where the toString() method is not being properly proxied to the JavaScript implementation.

I am bringing this up to the team for review and will get back here if I am able to reproduce in Java.

[pahud]

Issue #36832 Reproduction Summary

Successfully reproduced the issue in Java. Here's what we found:

The Problem

When using ICfnRuleConditionExpression (from Fn.conditionIf()) with string concatenation in Java, the toString() method behaves differently between CDK versions:

Version	toString() Output	Length	Result
v2.233.0	${Token[TOKEN.18]}	20	✅ Recognized as token, passes 64-char check
v2.234.0	software.amazon.awscdk.ICfnRuleConditionExpression$Jsii$Proxy@4961931	71	❌ Not recognized as token, fails 64-char check

Version	Status	toString() Output
v2.233.0	✅ Working	${Token[TOKEN.18]}
v2.234.0	❌ Broken	Jsii$Proxy@...
v2.237.0 (latest)	❌ Still Broken	Jsii$Proxy@...

Reproduction Code

ICfnRuleConditionExpression qualifiedDomain = Fn.conditionIf(
    hasSubdomain.getLogicalId(),
    subdomain.getValueAsString() + "." + myappDomain,
    myappDomain
);

// This fails in v2.234.0
Certificate.Builder.create(this, "Certificate")
    .domainName("*." + qualifiedDomain)  // Java calls toString() here
    .build();

Output Comparison

v2.233.0 (Working):

'*.' + qualifiedDomain = *.${Token[TOKEN.18]}
Length: 20
Error: "When using Tokens for domain names, 'validationDomains' needs to be supplied"
       ↑ This is expected - the token IS recognized, just needs more config

v2.234.0 (Broken):

'*.' + qualifiedDomain = *.software.amazon.awscdk.ICfnRuleConditionExpression$Jsii$Proxy@4961931
Length: 71
Error: "Domain name must be 64 characters or less"
       ↑ Token NOT recognized, fails length validation

Root Cause

The "reference interfaces" changes introduced in PR #35032 and propagated through ~20+ PRs merged between v2.233.0 and v2.234.0 changed how interfaces are exposed through JSII bindings. This broke the
toString() proxy mechanism for ICfnRuleConditionExpression in Java - the JSII proxy's default Java toString() is now being called instead of the underlying Intrinsic.toString() method that returns a
proper token string.

Reproduction Location

The Java reproduction project is at:
/issue-triage/repro-36832-java/