CODEWITHSUNDEEP
sslamazon-web-servicesamazon-cloudfrontamazon-iamaws-cli
rdegges
rdegges

Reputation: 33864

CloudFront SSL Certificate Not Showing up in UI After Uploading

I've been using Cloudfront to terminate SSL for several websites, but I can't seem to get it to recognize my newly uploaded SSL certificate for some reason.

Here's what I've done so far:

Purchased a valid SSL certificate, and uploaded it via the AWS cli tool as follows:

$ aws iam upload-server-certificate \
  --server-certificate-name www.codehappy.io \
  --certificate-body file://www.codehappy.io.crt  \
  --private-key file://www.codehappy.io.key \
  --certificate-chain file://www.codehappy.io.chain.crt \
  --path /cloudfrount/codehappy-www/

For which I get the following output:

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "ASCAIKR2OSE6GX43URB3E",
        "ServerCertificateName": "www.codehappy.io",
        "Expiration": "2016-10-19T23:59:59Z",
        "Path": "/cloudfrount/codehappy-www/",
        "Arn": "arn:aws:iam::001177337028:server-certificate/cloudfrount/codehappy-www/www.codehappy.io",
        "UploadDate": "2015-10-20T20:02:36.983Z"
    }
}

NOTE: I first ran aws configure and supplied my IAM user's credentials (this worked just fine).

Next, I ran the following command to view a list of all my existing SSL certificates on IAM:

$ aws iam list-server-certificates
{
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateId": "ASCAIIMOAKWFL63EKHK4I",
            "ServerCertificateName": "www.ipify.org",
            "Expiration": "2016-05-25T23:59:59Z",
            "Path": "/cloudfront/ipify-www/",
            "Arn": "arn:aws:iam::001177337028:server-certificate/cloudfront/ipify-www/www.ipify.org",
            "UploadDate": "2015-05-26T04:30:15Z"
        },
        {
            "ServerCertificateId": "ASCAJB4VOWIYAWN5UEQAM",
            "ServerCertificateName": "www.rdegges.com",
            "Expiration": "2016-05-28T23:59:59Z",
            "Path": "/cloudfront/rdegges-www/",
            "Arn": "arn:aws:iam::001177337028:server-certificate/cloudfront/rdegges-www/www.rdegges.com",
            "UploadDate": "2015-05-29T00:11:23Z"
        },
        {
            "ServerCertificateId": "ASCAJCH7BQZU5SZZ52YEG",
            "ServerCertificateName": "www.codehappy.io",
            "Expiration": "2016-10-19T23:59:59Z",
            "Path": "/cloudfrount/codehappy-www/",
            "Arn": "arn:aws:iam::001177337028:server-certificate/cloudfrount/codehappy-www/www.codehappy.io",
            "UploadDate": "2015-10-20T20:09:22Z"
        }
    ]
}

NOTE: As you can see, I'm able to view all three of my SSL certificates, including my newly created one.

Next, I logged into the IAM UI to verify that my IAM user account has administrator access:

IAM Admin Access

As you can see my user is part of an 'Admins' group, which has unlimited Admin access to AWS.

Finally, I log into the Cloudfront UI and attempt to select my new SSL certificate. Unfortunately, this is where things seem to not work =/ Only my other two SSL certs are listed:

Cloudfront SSL Certificates

Does anyone know what I need to do so I can use my new SSL certificate with Cloudfront?

Thanks so much!

Upvotes: 1

Views: 1328

Answers (2)

Hunter Frazier
Hunter Frazier

Reputation: 477

I had a very similar issue and the problem was directly related to my private key's encryption. Reissuing the certificate using RSA 2048-bit instead of RSA 4096-bit CSR encryption solved the issue for me. Could be something else outside of encryption as well, such as the formatting of your blocks or using an encrypted private key.

In short, ACM's import filter won't catch everything nor will it verify working validity across all AWS products, so double check your encryption level settings are compatible with CloudFront when using external certificates. Here's a list of compatibility issues for CloudFront. Remember that compatbility can vary from product to product so always double check. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

Had I simply read first, as usual, I would have saved a headache. 4096-bit is perfectly fine for some ACM functionalities, however this does not include CloudFront.

Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.

Upvotes: 1

Gonfva
Gonfva

Reputation: 1468

Most likely, the issue is that the path is incorrect. It is not cloudfrount but cloudfront

Upvotes: 4

Related Questions