Reputation: 2456
CertificateNotfound error when creating LB Listener
I am having trouble adding a certificate to my LB listener. Here is the code used to do so (note these is a snippets of code):
global/main.tf
resource "aws_acm_certificate" "demo_cert_east" {
provider = "aws.east"
domain_name = "*.mydomain.com"
validation_method = "DNS"
tags {
Name = "demo certificate"
Environment = "demo"
}
lifecycle {
create_before_destroy = true
}
}
stage/main.tf
data "aws_acm_certificate" "demo_cert" {
domain = "*.mydomain.com"
statuses = ["ISSUED", "PENDING_VALIDATION"]
}
resource "aws_lb_listener" "wfe_demo_ssl" {
load_balancer_arn = "${aws_lb.wfe_demo.arn}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = "${data.aws_acm_certificate.demo_cert.arn}"
default_action {
target_group_arn = "${aws_lb_target_group.wfe_demo.arn}"
type = "forward"
}
}
I have ensured that both resources are in the aws-east region. I am getting the error:
Error creating LB Listener: CertificateNotFound: Certificate 'arn:aws:acm:us-east-1:078395932517:certificate/b83ba534-ef9d-4a07-ae13-832695dc8b5a' not found.
So the certificate is getting retrieved correctly by the data source but the listener then can't seem to find it.
Upvotes: 5
Views: 7735
Answers (2)
Reputation: 56869
To be able to attach an ACM certificate to a load balancer or other AWS resource such as Cloudfront, it must have been validated first.
Changing your data source to find only ISSUED certificates should then push the error to happen in the data source if there are no validated certificates that match your pattern:
data "aws_acm_certificate" "demo_cert" {
domain = "*.mydomain.com"
statuses = ["ISSUED"]
}
To validate the certificate you can either handle this out of band manually when you request it, use some other tool to automatically validate it for you or you can use Terraform's aws_acm_certificate_validation resource when creating the ACM certificate request:
resource "aws_acm_certificate" "cert" {
domain_name = "example.com"
validation_method = "DNS"
}
data "aws_route53_zone" "zone" {
name = "example.com."
private_zone = false
}
resource "aws_route53_record" "cert_validation" {
name = aws_acm_certificate.cert.domain_validation_options.0.resource_record_name
type = aws_acm_certificate.cert.domain_validation_options.0.resource_record_type
zone_id = data.aws_route53_zone.zone.id
records = [aws_acm_certificate.cert.domain_validation_options.0.resource_record_value]
ttl = 60
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = aws_acm_certificate.cert.arn
validation_record_fqdns = [aws_route53_record.cert_validation.fqdn]
}
Upvotes: 8
Reputation: 1448
Because I just had the issue: certificate and resource must be in the same region. (@ydaetskcoR kind of mentioned this already).
Upvotes: 5
Related Questions
- How to Terraform Create and Validate AWS Certificate
- AWS Load Balancer with a https listener created with terraform throws connection refused
- Terraform Failure configuring LB attributes
- Terraform & AWS: ACM Certificate Never Validated
- httpserver in EC2 instance via terraform
- Setting up ssl cert for load balancer terraform
- How to connect aws certificate manager to aws_alb_listener in terraform?
- Terraform Error: error adding LB Listener Certificate: ValidationError: A certificate cannot be specified for %s listeners
- Setting multiple certificates on an aws_lb_listener using terraform
- Imported SSL Cert not listed for ALB Listener