Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I troubleshoot issues when I use a custom SSL certificate for my CloudFront distribution?
I want to troubleshoot a custom SSL certificate for my Amazon CloudFront distribution.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Use a supported Region for certificates that you requested from or imported to ACM
To assign an AWS Certificate Manager (ACM) certificate to a CloudFront distribution, you must request or import the certificate in a supported AWS Region. If you don't request or import your certificate in a supported Region, then you get an error message.
Specify the correct CloudFront path for certificates that you imported to IAM
It's a best practice to use ACM to import your certificate. If you import your SSL certificate to AWS Identity and Access Management (IAM), then provide the correct path so that CloudFront can use the certificate.
To import your certificate with a specified CloudFront path, run the following upload-server-certificate AWS CLI command:
aws iam upload-server-certificate --server-certificate-name CertificateName--certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/
Note: Replace CertificateName with your certificate's name, public_key_certificate_file with your public key file path, privatekey.pem with your private key file path, certificate_chain_file with the path to your chain file, and DistributionName with your CloudFront distribution.
If you didn't specify a CloudFront path when you imported your certificate, then run the following update-server-certificate AWS CLI command to update your certificate with the path:
aws iam update-server-certificate --server-certificate-name CertificateName --new-path /cloudfront/DistributionName/
Note: Replace CertificateName with your certificate's name and DistributionName with your CloudFront distribution's name.
After you add a certificate to a CloudFront distribution, the distribution's status changes from Deployed to In Progress. The distribution's status changes back to Deployed when the change is deployed to all CloudFront edge locations.
Confirm that you have the required permissions
If you assign a certificate from ACM or IAM, then the IAM user or role that you use to assign the certificate must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "acm:ListCertificates", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudfront:ListDistributions", "cloudfront:ListStreamingDistributions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudfront:List*", "cloudfront:Get*", "cloudfront:Update*" ], "Resource": "arn:aws:cloudfront::account-id:distribution/distribution-id" }, { "Effect": "Allow", "Action": "iam:ListServerCertificates", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetServerCertificate", "iam:UpdateServerCertificate" ], "Resource": "arn:aws:iam::account-id:server-certificate/certificate-name-with-path" } ] }
Related information
- Language
- English
