I'm trying to Import a certificate from Cloudflare using the AWS Web UI and I'm stuck in this page:
I read that the equivalent in Cloudflare to Certificate Chain is Origin Certificates (not 100% sure on this), so I created one and chose the RSA certificate and when I try to finish the import in AWS it says:
Could not validate the certificate with the certificate chain. Choose Previous button below and fix it.
Anyone knows what's the problem?
Thanks
EDIT:
I tried the root CA and it also doesn't work:
This is the "solution" from AWS:
"Could not validate the certificate with the certificate chain."
If ACM can't match the certificate to the certificate chain provided, verify that the certificate chain is associated to your certificate. You might need to contact your certificate provider for further assistance.
Ok I found the issue, I had created a Client CE and that’s what I was using, I read on the description that it was the one used to authenticate APIs in clients so it made sense. Anyway, resolution:
All 3 CE has to be ORIGIN and the root is from this page. So if anyone has this issue, make sure you use the CE from the Origin page + the root
Related
I am trying to add SSL Certificate in ALB, but getting following error.
I have requested successful 1 ACM Certificate, but unfortunately that was wrongly configured, and this issue is repeating after deleted my first ACM Certificate. Does AWS not allow to create multiple ACM Certificates ?, I dint found edit option to change FQDN hence I have to delete old cert
What is probable root cause, I tried to connect support team unfortunately ticket is still open.
As per docs
ACM requires additional information to process this certificate request. This happens as a fraud-protection measure if your domain ranks within the Alexa top 1000 websites. To provide the required information, use the Support Center to contact AWS Support. If you don't have a support plan, post a new thread in the ACM Discussion Forum.
In my view [ only possible solution ]
All Amazon certificates for these domains will remain functional until expiration, but will not be renewable and no new certificates from these domains will be issued. The only workaround that would work in your scenario would be to obtain a certificate from a third party that can issue a certificate for your domain, and import the certificate into ACM
Contacting Support is recommended to resolve the issue as explained in this document. Also, it's not possible to change domain names when a certificate has been requested and you can create multiple certificates in ACM.
I am posting this here to help others facing this problem as I could not find any useful information on the web.
If you have mapped your ACM certificate to an end-point (EC2, ELB, EKS service.. whatever) You will need to enable
CertificateTransparencyLoggingPreference
Else you will get:
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
Error in chrome. To do this via the aws-cli, the command is:
aws acm update-certificate-options --certificate-arn <ARN of ACM certificate> --options CertificateTransparencyLoggingPreference=ENABLED
I have provided the full response from AWS support as the answer, as this contains even more information.
This is Vivek from AWS Containers team. I will assist you on this
case.
From the case description, I understand that you requested an ACM
certificate and created ELB(service load balancer) behind which you
are running nginx pods in EKS cluster example-EKS-CLUSTER-dev.
When accessing the site https://test-aws.example.co/ from browser you
are getting error as below:
Error: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
You would like to use a third party CA such as lets encrypt to issue
free SSL certificate for your domains. You do not want to move the
domain to Route53.
You wish to know how to to do this and achieve https.
Please let me know if my understanding is correct.
Regarding the error ERR_CERTIFICATE_TRANSPARENCY_REQUIRED, this error
is thrown by Chrome browser when it can not find CT(certificate
transparency) logs.
For Google Chrome to trust the certificate, all issued or imported
certificates must have the SCT information embedded in them.
By default ACM logs all new and renewed certificates. However, it
provides option to opt out from AWS API or CLI.
You may find more about this on link [1].
I checked the load balancer mapped to the domain “test-aws.example.co”.
It is mapped to ELB
abce6962e05794f36a23435db3f1837d-1755308045.eu-west-2.elb.amazonaws.com
which uses ACM certificate
arn:aws:acm:eu-west-2:150737547637:certificate/f932b11d-af17-4023-be41-045c6fcc5e86
I checked this certificate and found that the option
“CertificateTransparencyLoggingPreference” is disabled.
You may enable transparency on the certificate to fix the issue by
running following command:
aws acm update-certificate-options --certificate-arn --options
CertificateTransparencyLoggingPreference=ENABLED
Once the certificate is updated with
CertificateTransparencyLoggingPreference as enabled, the issue will
resolve i.e. you should not longer receive the error
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED when accessing the site
over https.
Regarding your other query, i.e. how to use a third party certificate
such as LetsEncrypt with ELB for https, you may obtain the desired
certificate(get it issued from desired CA) and import it in ACM or
IAM. Once the third party certificate is imported in ACM/IAM, it can
be associated with the https listener of ELB similar to how you
associate certificate issued by ACM(by using annotation
service.beta.kubernetes.io/aws-load-balancer-ssl-cert in service
definition yaml with value as the ARN of imported certificate).
Please find the steps to import certificate in ACM on link [2]. The
steps to import a certificate in IAM can be found on [3].
Can anyone help me that I am using load balancer in google cloud platform but here I am not able to properly install ssl. Only certificate chain and private key box is showing not public key box. Why it is happening ? Is I have missed something or glitch from google side ?
**public key => But where to upload this ??
certificate chain => available
private key => available**
Which one is certificate chain in these that google is asking ?
And when checking it is showing grade B due to incomplete chain
As I suspected in the comment section, the issue was with a self-managed certificate (Trust Chain).
When creating a Certificate in GCP you can use Google-Managed and Self-Managed certificates.
In this setup OP used GoDaddy Certificate and validated it on ssllabs. One of the issues was
This server's certificate chain is incomplete. Grade capped to B.
More details can be found in this article - How Certificate Chains Work
A certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA's are trustworthy.
In Using self-managed SSL certificates - Step 2: Create a self-managed SSL certificate resource guide you can find information that chain certificate needs to be verified by the user:
Paste in your certificate or click Upload to navigate to your certificate file.
You can choose to include the CA certificate chain in the same file as the certificate. Google Cloud does not
validate the certificate chain for you – validation is your responsibility.
There is also information about the trust chain when you are creating a Certificate in GCP via UI, that your trust chain must be correct.
The certificate must be in PEM format and include correct certificate trust chain. The certificate chain must be no greater than 5 certs long.
Solution
Solution to this issue was to merge the certificate chain with OP's certificate.
Useful links
Creating a .pem File for SSL Certificate Installations, especially part Creating a .pem with the Private Key and Entire Trust Chain
How to combine various certificates into single .pem
You don't need to upload the Public Key to the LoadBalancer. Only the certificate and Private Key are needed.
The Public key portion is embedded into the Certificate
Just add main security certificate at the top of certificate chain mostly contains 3 to 4 certificates and add this final certificate in certificate field while creating a certificate. then all things will be corrcted. Thank you enjoy.
I want to add an SSL certificate to my application that is currently deployed on Elastic Beanstalk. I had created the certificate using AWS Certificate Manager using both the validation methods but none of them worked. I neither got an email nor adding the CNAME to godaddy as well as Route 53 got it validated. I had followed the exact steps specified in the documentation. I am the owner of the domain so I should have gotten an email but I didn't. Any idea what might I might be doing wrong?
Also, is there another way to generate the SSL certificate besides AWS CM for my application?
I had imported a SSL certificate into AWS long time ago. It is currently installed on the ELB, and it is going to expire in 15 days. I am trying to get AWS to issue a new certificate but it is stuck waiting validation:
Currently Route53 is pointing to the ELB. If I enter "https://eyecloud.net.au" it works fine.
Now, I tried to create a CloudFront, so that I can redirect HTTP to HTTPS. But the imported SSL certificate does not show up:
I deleted the ELB, and the imported certificate becomes not in use, but it still doesn't show up on CloudFront.
There is no problem using a certificate with multiple endpoints, whether they're ELBs, ALBs, or Cloudfront distributions.
However, if you want to use an ACM cert for Cloudfront, the cert must be issued in us-east-1.
Note
To use an ACM Certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.
http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
I had a case where I already had an SSL certificate selected, and when I clicked on the dropdown it only showed the selected one.
Turns out that Amazon doesn't like UX because it is not a normal dropdown it is a "searchable" dropdown. Meaning if you have a certificate selected, it will only show that specific certificate because it is also searching it in the dropdown.
Clicking on it and deleting the name reveals the rest of the certificates.
See below examples:
UX.
Where are my certificates?
Oh...
My problem was, that I got generated a 4096 bit certificate, but Cloud Front only allows for 2048 bit certificates
CloudFront [...] with ACM support a maximum of 2048-bit RSA certificates
I created my certificate with ZeroSSL and I didn't manage to create a 2048 bit one. To do that, I installed Ubuntu on my Windows machine (needed to install the Windows Subsystem for Linux in the 'Turn Windows features on or off' section) and used Certbot for Ubuntu with this command to create a 2048 bit certificate while using dns validation:
certbot -d yourdomain -d www.yourdomain --manual --preferred-challenges dns certonly
The 4096 bit certificate didn't show up, but the new 2048 bit certificate did, after deleting the contents of the drop-down menu, like stated by #Gopgop. You can see what kind of encryption rate your certificate has when importing the certificate into AWS Certificate Manager, on the review and import page, "Public key info". If you create a new certificate with ACM, that one automatically has a 2048 bit encryption and can be used right away in Cloud Front.
I have applied the same certificate to multiple endpoints or on multiple cloudfront distributions.
Also if you notice you cannot apply the cname to mutiple endpoints as well. You can use the cname it only in one place.
Only issue I have seen is your conversion from custom certificates to ACM certificate. There could be a bug with that. You might need to file a support ticket to resolve the issue.
Hope it helps.