5

I've got one certificate in ACM which was previously used for having a custom domain at an API Gateway. As I learned here, AWS creates some resources at an internal AWS Account like ELBs which will be attached to the Certificate.

Issue with this is: I deleted the custom domain name & even the API Gateway itself and checked that there are no other resources attached. Still I can't remove the certificate because it's marked as in use:

Associated resources
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-108/8b1...
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-120/fbc...
arn:aws:elasticloadbalancing:eu-central-1:<other-account-id>:loadbalancer/app/prod-fra-1-cdtls-1-2-139/6d4...

There are a lot of threads on the AWS forums were the issue was mostly resolved due to the fact that the custom domain name really was not deleted but hidden because the API Gateway was deleted previously & the sidebar is therefore not visible to access the custom domain names. Not the case here.

Are there are any tricks to resolve this besides contacting AWS Support? The issue exists for a more than a few days, so I guess it won't resolve itself.

tpschmidt
  • 2,479
  • 2
  • 17
  • 30

2 Answers2

2

You can assign AWS ACM certificates to Custom Domain Names in AWS API Gateway. These loadbalancers are not part of your own AWS Account but are hosted by AWS hence the other-account-id.

Remove the Custom Domain Name or update the Endpoint configuration so it's using another ACM certificate ARN.

Hans Homan
  • 31
  • 4
1

Unlike @tpschmidt, I didn't delete my API Gateway, so I don't know if this solution will work for him.

What worked for me was:

  1. Create in API Gateway a temporary new custom domain name, being sure to associate it with the certificate you want to delete.
  2. Delete the very same custom domain name. This presumably forces API Gateway to check if it should also delete the certificate association, which will take a few minutes, and you won't see any progress indicator, so be patient.
  3. Now you can delete the certificate in AWS Certificate Manager.
John Pick
  • 5,562
  • 31
  • 31
  • This is indeed a valid workaround @John Pick. In some cases, the issue will still persist, and as of December 2022 one still needs to reach out to support to resolve it. They acknowledged it quickly in our most recent case; waiting for them to disassociate the ELBs as of today. – joakim Dec 13 '22 at 10:58