AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I resolve the error "The certificate is in use" when I try to delete my ACM certificate?
I tried to delete my AWS Certificate Manager (ACM) certificate. However, I received the error "The certificate is in use and cannot be deleted. Disassociate the certificate from each resource in the list and try again."
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To complete a task, AWS services that integrate with ACM can create and own resources, such as an Amazon CloudFront distribution or Application Load Balancer. If you associate an ACM certificate with multiple AWS resources, then you get the "The certificate is in use" error message.
The following are scenarios where you might receive the error message:
- When you deploy an endpoint, Amazon API Gateway sets up and owns the CloudFront distribution or Application Load Balancer that's associated with the ACM certificate. For more information, see API Gateway problems.
- When you add custom domains to an Amazon Cognito user pool, Cognito owns CloudFront distribution that's associated with the ACM certificate.
- When you create custom endpoints for Amazon OpenSearch Service, OpenSearch Service owns the Application Load Balancer that's associated with the ACM certificate.
To check the AWS resource that's using the ACM certificate, run the describe-certificate AWS CLI command.
Note: When you create an API Gateway domain or Cognito custom domain, the service creates a CloudFront or Elastic Load Balancing (ELB) distribution. To view the service that owns the distribution, navigate to the distribution on the CloudFront console.
To disassociate the ACM certificate, take one of the following actions:
- To replace the ACM certificate for API Gateway, see Rotate a certificate imported into ACM.
- To replace the ACM certificate for Cognito, see Changing the SSL certificate for your custom domain.
- To delete the custom domain name for API Gateway, run the delete-domain-name AWS CLI command.
- To delete the custom domain name for Cognito, run the delete-user-pool-domain AWS CLI command.
- To update the ACM certificate for OpenSearch Service, see Creating a custom endpoint for Amazon OpenSearch Service.
Then, delete the ACM certificate.
Note: If you deleted a custom domain, distribution, or load balancer, then you might not be able to delete the ACM certificate. If you can't delete the ACM certificate, then contact AWS Support.
- Language
- English
My SAM stack delete has just failed because a Certificate cannot be deleted because it has an "associated resource" pointing to the Cloud Front distribution that I created in the same stack. The Cloud Front distribution has been marked as successfully deleted. It's already been 2 days and the Certificate still thinks there is an associated resource. Any ideas what to do in this scenario?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I'm facing the same issue, it's been 1 day already since I deleted the associated API gateway custom domain. The certificate still seems to be associated to some resources that does not exist in my account, this is what i see:
Associated resources (3)
arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-104/87ea7bd28e18ef45
arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-793/dd9eb9379f71a0ba
arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-862/56fc8591797a2875
This shown account id is not mine.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
i got the same problem. created a temp certificate for testing purpose, after i deleted the domain cname record and all other resources, ther cert still think it is associated with a cloudfront distribution arn:aws:cloudfront::474240146802:distribution/E1UDZSUB323PD4 facing the same problem as kevin, this is not my account id
Got same error for RestApi regional and custom domains today almost mid-2024. Looks like it was an issue 2 years and 6 months ago, some comments in December 2022 confirm still active issue. When AWS states they have no ETA, they really mean no ETA it could be 5 years or longer before it is resolved. Luckily if you have paid support, you can put a service ticket with an ETA for first contact at 3 business days, so maybe being resolved could be 1 week.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I am facing the same issue, and it seem like this is blocking any other certificate request for this domain as well. :( Any update on this?
I have also similar issue, my acm certificate claims it is related to some non-existing cloudfront distribution. I cannot delete it, I cannot disassociate it, I'm stuck. It looks like aws api error to me.
I got the same error as the above comments, but when I try to contact AWS support they say "AWS Basic support is not able to take action on a customers resources on their behalf as it would pose a significant security risk."
Relevant content
- asked 5 months ago
- asked 4 years ago
