I had a CloudFront distribution with a custom ACM certificate associated with it. The CloudFront was deleted, but I cannot delete the certificate, it says it’s still in use by that CloudFront, that no longer exist. Any idea what is happening and how do I delete the certificate?
Using either terraform or AWS console if this matters.
Related
Cleaning up and consolidating some SSL certs in AWS ACM, but can't remove some of them because they're associated with a CloudFront distribution that doesn't exist (can't find it in the console or via awscli).
Tried to delete the cert, but can't because it still has a bogus association
Tried to delete the dist via awscli, but can't because it doesn't exist
I created a Let's Encrypt wildcard certificate for *.example.cz on Amazon Linux EC2 instance using CertBot.
The certificate attached to nginx web server on EC2, website works fine both over HTTP and HTTPS. There are couple of DNS records www.example.cz and *.example.cz of type A with EC2 IP Address.
Then to point a subdomain cdn.example.cz to a S3 Static Website Bucket:
I imported the same wildcard SSL certificate from EC2 to AWS Certificate Manager.
Created a CloudFront distribution with the imported SSL Certificate.
Created a CNAME record cdn.example.cz and pointed it to S3 bucket's URL.
When I request an object from S3 using http://cdn.example.cz/object.jpg it works, but the request over HTTPS keeps busy until reaches time out.
I tried CloudFront's Alternate domain names to be cdn.example.cz, and also tried www.example.cz example.cz. None worked.
AWS Certificate Manager
CloudFront Distribution
CloudFront Distribution Origins
CNAME record had to be pointed to CloudFront Distribution domain name
xxxxxxx..cloudfront.net
I'm not sure about this but I also removed eu-south-1 from Origin domain name so it's now cdn.example.cz.s3.amazonaws.com
Once I updated CloudFront distribution, I had to wait few hours for the change propagated properly (as it was initially pointing to S3 before I was aware that CloudFront was required for SSL). As soon as it was, this settings worked perfectly.
I've got one certificate in ACM which was previously used for having a custom domain at an API Gateway. As I learned here, AWS creates some resources at an internal AWS Account like ELBs which will be attached to the Certificate.
Issue with this is: I deleted the custom domain name & even the API Gateway itself and checked that there are no other resources attached. Still I can't remove the certificate because it's marked as in use:
Associated resources
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-108/8b1...
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-120/fbc...
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-139/6d4...
There are a lot of threads on the AWS forums were the issue was mostly resolved due to the fact that the custom domain name really was not deleted but hidden because the API Gateway was deleted previously & the sidebar is therefore not visible to access the custom domain names. Not the case here.
Are there are any tricks to resolve this besides contacting AWS Support? The issue exists for a more than a few days, so I guess it won't resolve itself.
You can assign AWS ACM certificates to Custom Domain Names in AWS API Gateway. These loadbalancers are not part of your own AWS Account but are hosted by AWS hence the other-account-id.
Remove the Custom Domain Name or update the Endpoint configuration so it's using another ACM certificate ARN.
Unlike #tpschmidt, I didn't delete my API Gateway, so I don't know if this solution will work for him.
What worked for me was:
Create in API Gateway a temporary new custom domain name, being sure to associate it with the certificate you want to delete.
Delete the very same custom domain name. This presumably forces API Gateway to check if it should also delete the certificate association, which will take a few minutes, and you won't see any progress indicator, so be patient.
Now you can delete the certificate in AWS Certificate Manager.
I'm creating a CloudFront distribution for an S3 bucket. I successfully created it and mapped the DNS. Now I want to use HTTPS for the DNS.
I created a cert via ACM. But the cert is not appearing in the CloudFront Custom SSL pge.
Any ideas why?
I was able to accomplish the task, however, this is not the answer to the question.
I pasted the certificate ARN to the Custom SSL field and updated the CloudFront distribution. By this way, I was able to add SSL to my custom domain. However, my certificate still not appears in the Drop down menu.
Pls verify whether the certificate is created in us-east-1 region. Cloud front can use certificates that are created in that specific region.
I need to update/delete my certificate in the aws certificate manager. However when i try to do so, it says my certificate is being used by
Associated resources
arn:aws:cloudfront::<my-user-id>:distribution/ABC
However, when i navigate to the cloudfront section, there is no cloudfront distribution with that arn.
Does anyone experienced something similiar and knows how to resolve this issue?