Reputation: 1208
How to solve AWS CloudFront SSL Certificate Doesn't Exist
When I was adding the IamCertificateId property to my AWS::CloudFront::Distribution in CloudFormation, I got the following error:
Resource handler returned message: "Invalid request provided: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain."
I did make sure that the certificate exists, by running the aws iam list-server-certificates command and making sure the value of the IamCertificateId property matches the ASCA prefixed IAM ID of the certificate.
I am disregarding the us-east-1 region message since IAM is a global service and I'm not using an ACM certificate. Also, I'm operating in the China cn-north-1 region, in case that makes a difference.
I'm pretty sure the certificate is "valid", because I'm assuming AWS wouldn't have allowed me to upload the certificate with aws iam upload-server-certificate if it were malformed.
The error message, therefore, isn't pointing me to the solution. What could I be missing?
Upvotes: 12
Views: 15160
Answers (5)
Reputation: 6227
Check your encryption key size
Documenting this since it wasn't obvious and yet this SO question was the top result for this error message.
tl;dr - Certificate Manager can generate certificates with keysizes larger than what Cloudfront can support.
Problem:
I created a certificate in us-east-1 with ECDSA P 384 as that was the highest available at the time of writing. Then got:
Invalid request provided: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.
Solution:
Then after reading the documentation: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-size-of-public-key
For ECDSA certificates:
CloudFront supports 256-bit keys. To use an ECDSA certificate in ACM to require HTTPS between viewers and CloudFront, use the prime256v1 elliptic curve.
So dropping down to ECDSA P 256 or RSA 2048 resolved my issue.
Upvotes: 0
Reputation: 337
I was having this error. I was using Terraform to provision a Cloudfront distribution in a region that is not us-east-1. I was positive it was a variable error. Somewhere I must have had a variable pointing to the wrong region us-east-1.
But indeed, like user Promise Preston pointed out, the certificate must be in us-east-1, even if the Cloudfront distribution I am creating is not going to be in us-east-1.
Solution: I provided my Terraform code with the ARN of a valid certificate from us-east-1, even if the distribution I was creating was not going to be in us-east-1. And it worked.
Upvotes: 2
Reputation: 28800
I experienced this same issue when trying to attach an AWS Certificate to a CloudFront distribution.
The issue had to do with the fact that the AWS Certificate was provisioned in the eu-west-1 region.
AWS made it clear:
To use a certificate in AWS Certificate Manager (ACM) to require HTTPS between viewers and CloudFront, make sure you request (or import) the certificate in the US East (N. Virginia) Region (us-east-1).
Here's I fixed it:
All I had to do is to provision another AWS certificate in the US East (N. Virginia) Region (us-east-1) and then referenced it in the CloudFront distribution in the eu-west-1 region.
Upvotes: 4
Reputation: 25088
I had this problem and it was because my build system had accidentally switched a slash / on Windows (but it was working on Linux). My CloudFormation file had:
"CloudfrontDistribution": {
"Type": "AWS::CloudFront::Distribution",
"DependsOn": "CloudfrontS3LogsBucket",
"Condition": "DRDeactivated",
"Properties": {
"DistributionConfig": {
<--- snip snip -->
"ViewerCertificate": {
"AcmCertificateArn": "arn:aws:acm:us-east-1:0123456789:certificate\\XXXX-XXXX-XXXX-XXXX",
"SslSupportMethod": "sni-only",
"MinimumProtocolVersion": "TLSv1.2_2019"
}
}
}
}
},
The AcmCertificateArn was wrong in the Cloud Formation code above. Instead of
"AcmCertificateArn": "arn:aws:acm:us-east-1:0123456789:certificate\\XXXX-XXXX-XXXX-XXXX",
it should have been:
"AcmCertificateArn": "arn:aws:acm:us-east-1:0123456789:certificate/XXXX-XXXX-XXXX-XXXX",
Upvotes: 0
Reputation: 1208
Your certificate may be valid, but perhaps not valid for CloudFront. What the error message didn't point out, is something you can find tucked away in the docs for uploading a certificate:
Note: If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the path parameter. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/ ).
Therefore, make sure that you add --path "/cloudfront/" in your aws iam upload-server-certificate command.
Upvotes: 4
Related Questions
- CloudFront wasn't able to connect to the origin
- ACM Requested Public SSL certificate not appearing in CloudFront
- Getting error in adding SSL certificate in CloudFront using CloudFormation (needs to be specified)
- How to provision a CloudFront distribution with an ACM Certificate using Cloud Formation
- AWS Cloudfront: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain
- Cloudfront with EC2 instance
- CloudFront SSL Certificate Not Showing up in UI After Uploading
- AWS CloudFront: Not showing IAM SSL certificates
- Having trouble associated SSL cert with Amazon Cloudfront
- AWS CloudFront SSL Certificate - MalformedCertificate error