I want to troubleshoot a custom SSL certificate on AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) for my Amazon CloudFront distribution.
Short description
The following are the most common issues for a custom SSL certificate used for your CloudFront distribution:
- When you set up the distribution, you don't have the option to choose your custom SSL certificate.
- You can't choose the SSL certificate even though you might be able to use the same certificate with your load balancer.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To troubleshoot issues with a custom SSL certificate for your CloudFront distribution, check the following:
If you use a certificate requested from or imported to ACM, then confirm that your certificate meets the requirements
If you use a certificate imported to IAM, then verify the CloudFront path
When you import your SSL certificate to IAM, provide the correct path so that CloudFront can use the certificate. Run the following AWS CLI command to upload your certificate with a specified CloudFront path:
Note: Before you run this command, be sure to replace all values with the details for your certificate and CloudFront distribution.
aws iam upload-server-certificate --server-certificate-name CertificateName--certificate-body file://public_key_certificate_file --private-key file://privatekey.pem
--certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/
If you didn't upload your certificate with the CloudFront path, then run this command to update your certificate with the path:
aws iam update-server-certificate --server-certificate-name CertificateName --new-path /cloudfront/DistributionName/
Note: After you add a certificate to a CloudFront distribution, the distribution's status changes from Deployed to In Progress. The distribution's status changes back to Deployed when the change is deployed to all CloudFront edge locations. The typical deployment time is 5 minutes.
Confirm that you have the required permissions when you assign a certificate from ACM or IAM to the CloudFront distribution
The IAM user or role that you use to assign the certificate must have the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "acm:ListCertificates",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudfront:ListDistributions",
"cloudfront:ListStreamingDistributions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudfront:List*",
"cloudfront:Get*",
"cloudfront:Update*"
],
"Resource": "arn:aws:cloudfront::account-id:distribution/distribution-id"
},
{
"Effect": "Allow",
"Action": "iam:ListServerCertificates",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetServerCertificate",
"iam:UpdateServerCertificate"
],
"Resource": "arn:aws:iam::account-id:server-certificate/certificate-name-with-path"
}
]
}
Related information
How do I use ACM to troubleshoot the CloudFront distribution "InvalidViewerCertificate" domain name error?
Requirements for using SSL/TLS certificates with CloudFront