How do I resolve the error "The certificate is in use" when I try to delete my ACM certificate?

2 minute read
4

I tried to delete my AWS Certificate Manager (ACM) certificate. However, I received the error "The certificate is in use and cannot be deleted. Disassociate the certificate from each resource in the list and try again."

Resolution

To disassociate the ACM certificate from a CloudFront distribution or Application Load Balancer, replace the ACM certificate that's associated with the custom domain. Or, delete the custom domain.

To check the resource that the ACM certificate is associated with, use the AWS Command Line Interface (AWS CLI) to run the describe-certificate command. 

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To disassociate the ACM certificate, take one of the following actions:

Then, delete the ACM certificate.

Note: If you deleted a custom domain, distribution, or load balancer, then you might not be able to delete the ACM certificate. If you can't delete the ACM certificate, then contact AWS Support.

Related information

Gateway API problems

Services integrated with AWS Certificate Manager

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
8 Comments

My SAM stack delete has just failed because a Certificate cannot be deleted because it has an "associated resource" pointing to the Cloud Front distribution that I created in the same stack. The Cloud Front distribution has been marked as successfully deleted. It's already been 2 days and the Certificate still thinks there is an associated resource. Any ideas what to do in this scenario?

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 years ago

I'm facing the same issue, it's been 1 day already since I deleted the associated API gateway custom domain. The certificate still seems to be associated to some resources that does not exist in my account, this is what i see:

Associated resources (3)

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-104/87ea7bd28e18ef45

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-793/dd9eb9379f71a0ba

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-862/56fc8591797a2875

This shown account id is not mine.

profile picture
Kevin
replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 7 months ago

i got the same problem. created a temp certificate for testing purpose, after i deleted the domain cname record and all other resources, ther cert still think it is associated with a cloudfront distribution arn:aws:cloudfront::474240146802:distribution/E1UDZSUB323PD4 facing the same problem as kevin, this is not my account id

pfandie
replied 7 months ago

Got same error for RestApi regional and custom domains today almost mid-2024. Looks like it was an issue 2 years and 6 months ago, some comments in December 2022 confirm still active issue. When AWS states they have no ETA, they really mean no ETA it could be 5 years or longer before it is resolved. Luckily if you have paid support, you can put a service ticket with an ETA for first contact at 3 business days, so maybe being resolved could be 1 week.

replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 months ago

As of 07/15/2024, the way to resolve this issue especially after deleting the associated custom Api-Gateway Domain and the Certificate still doesn't delete is to: reach out to AWS Support and request service to remove "Stale Associations" or "Dangling resources" in regards to ACM Certificates.

In my case, the associated ELBs (with their ARN that had a different account number from the Certificate-ARN with the issue) was successfully removed by the AWS internal team because those resources belonged to API gateway and was created by API gateway-Service.

AWS
replied 3 months ago