How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution?

4 minute read
0

I have an SSL certificate on AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) that I want to use for my Amazon CloudFront distribution. I want to troubleshoot the issues that I'm having.

Short description

The following are the most common issues when using a custom SSL certificate for your CloudFront distribution:

  • When setting up the distribution, you don't have the option to choose your custom SSL certificate.
  • You can't choose the SSL certificate even though you might be able to use the same certificate with your load balancer.

Resolution

To troubleshoot issues when using a custom SSL certificate with your CloudFront distribution, check the following:

If you're using a certificate requested from or imported to ACM, then confirm that your certificate meets the requirements

  • To assign an ACM certificate to a CloudFront distribution, request or import the certificate in the US East (N. Virginia) Region. If you're using the ACM console, then check the Region selector in the navigation bar. Confirm that US East (N. Virginia) is selected before you request or import the certificate.
    Note: After you assign an ACM certificate to a CloudFront distribution, the certificate is distributed to all edge locations for the CloudFront distribution's price class.
  • After you validate your ACM certificate using either DNS validation or email validation, be sure that the status of the certificate is Issued. The status must be Issued before you can assign the certificate to a CloudFront distribution.
  • The certificate must be a 2048-bit RSA certificate or smaller. Though ACM supports 1024 bit through 4096-bit RSA certificates, services such as CloudFront that are integrated with ACM support a maximum of 2048-bit RSA certificates.
  • For imported certificates, be sure that the certificate meets the prerequisites for importing a certificate.

If you're using a certificate imported to IAM, then verify the CloudFront path

When you import your SSL certificate to IAM, provide the correct path so that CloudFront can use the certificate. Run the following AWS Command Line Interface (AWS CLI) command to upload your certificate with a specified CloudFront path:

Note: Before you run this command, be sure to replace all values with the details for your certificate and CloudFront distribution.

aws iam upload-server-certificate --server-certificate-name CertificateName
--certificate-body file://public_key_certificate_file --private-key file://privatekey.pem 
--certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/

**Note:**If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI. If you didn't upload your certificate with the CloudFront path, then run this command to update your certificate with the path:

aws iam update-server-certificate --server-certificate-name CertificateName 
--new-path /cloudfront/DistributionName/

Note: After you add a certificate to a CloudFront distribution, the distribution's status changes from Deployed to In Progress. The distribution's status changes back to Deployed when the change is deployed to all CloudFront edge locations. The typical deployment time is 5 minutes.

Confirm that you have the required permissions when assigning a certificate from ACM or IAM to the CloudFront distribution

The IAM user or role that you use to assign the certificate must have the following permissions at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "acm:ListCertificates",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:List*",
                "cloudfront:Get*",
                "cloudfront:Update*"
            ],
            "Resource": "arn:aws:cloudfront::account-id:distribution/distribution-id"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListServerCertificates",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetServerCertificate",
                "iam:UpdateServerCertificate"
            ],
            "Resource": "arn:aws:iam::account-id:server-certificate/certificate-name-with-path"
        }
    ]
}

Related information

How do I resolve the "InvalidViewerCertificate" error exception while creating or updating a CloudFront distribution?

Requirements for using SSL/TLS certificates with CloudFront

AWS OFFICIAL
AWS OFFICIALUpdated a year ago