Unable to delete AWS certificate (Certificate is in use)

Question

I am trying to delete two certificates but I am getting this sort of error message:

However when I run:

aws elbv2 describe-load-balancers --region us-east-1 --load-balancer-arns

I get no returned load balancers?

Also if I try to delete directly:

aws elbv2 delete-load-balancer --region us-east-1 --load-balancer-arn ...

I get the error:

is not a valid load balancer ARN

How can I delete these "associations"?

@maxisme What did you use your certificate for? What was its purpose? — jccampanero, Oct 05 '21 at 21:53
Here is the same issue with a solution supposedly: https://forums.aws.amazon.com/thread.jspa?messageID=941226&threadID=321045&tstart=0 Have you seen that? — Marcin, Oct 05 '21 at 23:50
Also `Custom domain names` in API gateway in `us-east-1`? You may have no APIs, but you still may have custom names setup in the API gateway? — Marcin, Oct 06 '21 at 00:00

samtoddler · Answer 1 · 2022-04-10T12:38:08.810

2

source : https://docs.aws.amazon.com/acm/latest/userguide/troubleshoot-apigateway.html

UPDATE: I had the similar issue recently , as per the attached doc

When you deploy a regional API endpoint, API Gateway creates an application load balancer (ALB) on your behalf. The load balancer is owned by API Gateway and is not visible to you. The ALB is bound to the ACM certificate that you used when deploying your API. To remove the binding and allow ACM to delete your certificate, you must remove the API Gateway custom domain that is associated with the certificate.

As AWS managed ALB was using to the ACM issued certificate and for deleting the cert we need to make sure no resource is using it, but ALB we cant delete as it is AWS managed.

So I had to reach out to AWS support to delete the ALB first and then I was able to delete the cert

AWS support admits that there are already feature requests to resolve this annoying trouble.

edited Apr 10 '22 at 12:38

answered Oct 03 '21 at 12:47

samtoddler

8,463
2
26
21

I don't have any API gatways I have deleted them all – maxisme Oct 03 '21 at 12:50
1

@maxisme check for the custom domain assigned to anything in the`custom domain name` section of the api gateway console. – samtoddler Oct 03 '21 at 12:51
yep - it is empty. This is such a weird issue... – maxisme Oct 03 '21 at 12:56
1

@maxisme can you check if there are any `CloudFront` distributions are using this cert ? – samtoddler Oct 03 '21 at 13:01
when going to the page on the web panel it appears as if there is nothing – maxisme Oct 03 '21 at 13:15
@maxisme I understand this is an old post, I am updating in case anyone else stumble upon this in future. – samtoddler Apr 10 '22 at 12:39

joakim · Answer 2 · 2023-02-01T22:55:39.080

As of December 2022, this issue is still possible to run into, and reaching out to Support per @samtoddler's answer is the only way around it.

For those facing this in accounts with no technical support, the AWS team will still be able to help — they have acknowledged this is a recurring issue and involvement of technical teams is required. Don't be discouraged by any messages you may see about "upgrading your support tier" when first describing the issue to them — these are automated, and the non-technical team quickly acknowledged the issue in our most recent case and escalated accordingly.

Might be just coincidental, but after having faced this a couple of times in recent years, in all cases there was some kind of drift involved between a Cloudformation or CDK stack and the AWS Console.

Unable to delete AWS certificate (Certificate is in use)

2 Answers2