How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution?

Last updated: 2020-10-05

I have an SSL certificate on AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) that I want to use for my Amazon CloudFront distribution. When setting up my distribution, I don't have the option to choose my custom SSL certificate. I can't choose the SSL certificate even though I might be able to use the same certificate with my load balancer. Or, I'm getting an "InvalidViewerCertificate" error. How can I troubleshoot this?

Resolution

To troubleshoot issues with using a custom SSL certificate with your CloudFront distribution, check the following:

Resolve the "InvalidViewerCertificate" error

If you're getting an "InvalidViewerCertificate" error when you try to create or update a distribution, see How do I resolve the "InvalidViewerCertificate" error exception while creating or updating a CloudFront distribution?

If you're using a certificate requested from or imported to ACM, confirm that your certificate meets the requirements

  • To assign an ACM certificate to a CloudFront distribution, you must request or import the certificate in the US East (N. Virginia) Region. If you're using the ACM console, check the Region selector in the navigation bar. Confirm that US East (N. Virginia) is selected before you request or import the certificate.
    Note: After you assign an ACM certificate to a CloudFront distribution, the certificate is distributed to all edge locations for the CloudFront distribution's price class.
  • After you validate your ACM certificate using either DNS validation or email validation, be sure that the status of the certificate is Issued. The status must be Issued before you can assign the certificate to a CloudFront distribution.
  • The certificate must be a 2048-bit RSA certificate or smaller. Though ACM supports 1024 bit through 4096-bit RSA certificates, services such as CloudFront that are integrated with ACM support a maximum of 2048-bit RSA certificates.
  • For imported certificates, you must be sure that the certificate meets the prerequisites for importing a certificate.

If you're using a certificate imported to IAM, verify the CloudFront path

When you import your SSL certificate to IAM, you must provide the correct path so that CloudFront can use the certificate. Run the following AWS Command Line Interface (AWS CLI) command to upload your certificate with a specified CloudFront path:

Note: Before you run this command, be sure to replace all values with the details for your certificate and CloudFront distribution.

aws iam upload-server-certificate --server-certificate-name CertificateName
--certificate-body file://public_key_certificate_file --private-key file://privatekey.pem 
--certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI

If you didn't upload your certificate with the CloudFront path, run this command to update your certificate with the path:

aws iam update-server-certificate --server-certificate-name CertificateName 
--new-path /cloudfront/DistributionName/

Note: After you add a certificate to a CloudFront distribution, the distribution's status changes from Deployed to In Progress. The distribution's status changes back to Deployed when the change is deployed to all CloudFront edge locations. The typical deployment time is 5 minutes.

Confirm that you have the required permissions

To assign a certificate from ACM or IAM to the CloudFront distribution, the IAM user or role you use to assign the certificate must, at minimum, have the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "acm:ListCertificates",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:List*",
                "cloudfront:Get*",
                "cloudfront:Update*"
            ],
            "Resource": "arn:aws:cloudfront::account-id:distribution/distribution-id"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListServerCertificates",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetServerCertificate",
                "iam:UpdateServerCertificate"
            ],
            "Resource": "arn:aws:iam::account-id:server-certificate/certificate-name-with-path"
        }
    ]
}

Did this article help?


Do you need billing or technical support?