0

I am posting this here to help others facing this problem as I could not find any useful information on the web.

If you have mapped your ACM certificate to an end-point (EC2, ELB, EKS service.. whatever) You will need to enable

CertificateTransparencyLoggingPreference

Else you will get:

NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

Error in chrome. To do this via the aws-cli, the command is:

aws acm update-certificate-options --certificate-arn <ARN of ACM certificate> --options CertificateTransparencyLoggingPreference=ENABLED

I have provided the full response from AWS support as the answer, as this contains even more information.

Joel
  • 384
  • 5
  • 18

1 Answers1

-2

This is Vivek from AWS Containers team. I will assist you on this case.

From the case description, I understand that you requested an ACM certificate and created ELB(service load balancer) behind which you are running nginx pods in EKS cluster example-EKS-CLUSTER-dev.

When accessing the site https://test-aws.example.co/ from browser you are getting error as below:

Error: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

You would like to use a third party CA such as lets encrypt to issue free SSL certificate for your domains. You do not want to move the domain to Route53.

You wish to know how to to do this and achieve https.

Please let me know if my understanding is correct.

Regarding the error ERR_CERTIFICATE_TRANSPARENCY_REQUIRED, this error is thrown by Chrome browser when it can not find CT(certificate transparency) logs.

For Google Chrome to trust the certificate, all issued or imported certificates must have the SCT information embedded in them.

By default ACM logs all new and renewed certificates. However, it provides option to opt out from AWS API or CLI.

You may find more about this on link [1].

I checked the load balancer mapped to the domain “test-aws.example.co”. It is mapped to ELB abce6962e05794f36a23435db3f1837d-1755308045.eu-west-2.elb.amazonaws.com which uses ACM certificate arn:aws:acm:eu-west-2:150737547637:certificate/f932b11d-af17-4023-be41-045c6fcc5e86

I checked this certificate and found that the option “CertificateTransparencyLoggingPreference” is disabled.

You may enable transparency on the certificate to fix the issue by running following command:

aws acm update-certificate-options --certificate-arn --options CertificateTransparencyLoggingPreference=ENABLED

Once the certificate is updated with CertificateTransparencyLoggingPreference as enabled, the issue will resolve i.e. you should not longer receive the error NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED when accessing the site over https.

Regarding your other query, i.e. how to use a third party certificate such as LetsEncrypt with ELB for https, you may obtain the desired certificate(get it issued from desired CA) and import it in ACM or IAM. Once the third party certificate is imported in ACM/IAM, it can be associated with the https listener of ELB similar to how you associate certificate issued by ACM(by using annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert in service definition yaml with value as the ARN of imported certificate).

Please find the steps to import certificate in ACM on link [2]. The steps to import a certificate in IAM can be found on [3].

Joel
  • 384
  • 5
  • 18