AWS: imported SSL certificate not showing up in CloudFront

Question

I had imported a SSL certificate into AWS long time ago. It is currently installed on the ELB, and it is going to expire in 15 days. I am trying to get AWS to issue a new certificate but it is stuck waiting validation:

Currently Route53 is pointing to the ELB. If I enter "https://eyecloud.net.au" it works fine.

Now, I tried to create a CloudFront, so that I can redirect HTTP to HTTPS. But the imported SSL certificate does not show up:

I deleted the ELB, and the imported certificate becomes not in use, but it still doesn't show up on CloudFront.

Possible duplicate of [AWS: Custom SSL certificate option is disabled in CloudFront, but I created a SSL certificate using AWS Certificate Manager](https://stackoverflow.com/questions/43166169/aws-custom-ssl-certificate-option-is-disabled-in-cloudfront-but-i-created-a-ss) — Ashan, Sep 29 '17 at 17:13

score 30 · Accepted Answer · edited Sep 28 '17 at 10:56

30

There is no problem using a certificate with multiple endpoints, whether they're ELBs, ALBs, or Cloudfront distributions.

However, if you want to use an ACM cert for Cloudfront, the cert must be issued in us-east-1.

Note

To use an ACM Certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.

http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

edited Sep 28 '17 at 10:56

Michael - sqlbot

169,571
25
353
427

answered Sep 28 '17 at 01:49

chris

36,094
53
157
237

8

If the new certs are not visible in the dropdown for cloudfront in the edit page just erase the current value and retrigger the dropdown. I lost a couple of hours because of that bug. – deezy Mar 11 '19 at 21:51
Does anyone know how this is NOT a **single point** of failure for CloudFront? Seems like if us-east-1 has an outage, SSL for CloudFront is going to fail for everyone (except maybe for those using 3rd party certs from other regions... if that's even possible). – Bruno Bronosky Oct 22 '19 at 15:41
I just had this problem and logging out and back in allowed me to pick the newly created certs. – Ismael Arenzana Nov 05 '20 at 20:24

score 16 · Answer 2 · edited Jun 20 '20 at 09:12

16

I had a case where I already had an SSL certificate selected, and when I clicked on the dropdown it only showed the selected one.

Turns out that Amazon doesn't like UX because it is not a normal dropdown it is a "searchable" dropdown. Meaning if you have a certificate selected, it will only show that specific certificate because it is also searching it in the dropdown.

Clicking on it and deleting the name reveals the rest of the certificates.

See below examples:

UX.

Where are my certificates?

Oh...

edited Jun 20 '20 at 09:12

Community

1
1

answered Feb 19 '19 at 19:40

Amit Assaraf

512
11
34

4

Thanks. That was a completely obvious thing that I missed for an hour. Thanks, Amazon. -_- – r0ber7 Jun 26 '19 at 12:04
This post is almost two years old and AWS still has awful UX. Thanks so much. I honestly could not figure this one out. – Trip Sep 25 '20 at 15:44

Sven Möhring · Answer 3 · 2019-06-06T14:19:53.053

My problem was, that I got generated a 4096 bit certificate, but Cloud Front only allows for 2048 bit certificates

CloudFront [...] with ACM support a maximum of 2048-bit RSA certificates

I created my certificate with ZeroSSL and I didn't manage to create a 2048 bit one. To do that, I installed Ubuntu on my Windows machine (needed to install the Windows Subsystem for Linux in the 'Turn Windows features on or off' section) and used Certbot for Ubuntu with this command to create a 2048 bit certificate while using dns validation:

certbot -d yourdomain -d www.yourdomain --manual --preferred-challenges dns certonly

The 4096 bit certificate didn't show up, but the new 2048 bit certificate did, after deleting the contents of the drop-down menu, like stated by @Gopgop. You can see what kind of encryption rate your certificate has when importing the certificate into AWS Certificate Manager, on the review and import page, "Public key info". If you create a new certificate with ACM, that one automatically has a 2048 bit encryption and can be used right away in Cloud Front.

score 0 · Answer 4 · answered Sep 28 '17 at 00:07

0

I have applied the same certificate to multiple endpoints or on multiple cloudfront distributions.

Also if you notice you cannot apply the cname to mutiple endpoints as well. You can use the cname it only in one place.

Only issue I have seen is your conversion from custom certificates to ACM certificate. There could be a bug with that. You might need to file a support ticket to resolve the issue.

Hope it helps.

answered Sep 28 '17 at 00:07

Kannaiyan

12,554
3
44
83

Thank you for your reply but I need a bit clarification: (1) "you cannot apply the cname to mutiple endpoints": so I need to create two CloudFront distributions? (2) "your conversion from custom certificates to ACM certificate": what is the problem? I have been using this **imported** certificate for months on the ELB without any problem. – Sep 28 '17 at 00:13
1

One cname to multiple distributions is not allowed. Multiple Cnames to one distribution is allowed. To get a clue what certificate is being used, check for the current certificates expiry. If it is using your old certificate date, then your ACM certificate is not available at all for use. – Kannaiyan Sep 28 '17 at 04:04

AWS: imported SSL certificate not showing up in CloudFront

4 Answers4

UX.