Invalid or missing intermediate (bundle) certificate.

0

I'm getting an error message that says "Invalid or missing intermediate (bundle) certificate" when setting up my website on AWS. I'm using Route 53 for DNS management, AWS Certificate Manager (ACM) for SSL certificates, CloudFront as a CDN, and S3 for hosting static content. I’ve already issued the SSL certificate through ACM and applied it to my CloudFront distribution, but I'm still seeing the error. How can I ensure that the intermediate certificate is correctly included in this setup? Are there any specific configurations I need to check in ACM or CloudFront to resolve this?

9 Answers
2

Is it possible that you might be experiencing the effects of what is described in this blog post?

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thank you for the suggestion and the blog link. It’s a very informative post, though I couldn’t find a solution to the problem there.

1

If ACM issued the certificate, instead of you importing a certificate issued by another party into ACM, the correct certificate chain will be configured automatically when you associate the certificate with your CloudFront distribution. I suggest you check the certificate details in ACM first. Specifically, is the certificate in issued or pending status, is its expiration time in the future, and does ACM show it as being associated with the correct CloudFront distribution?

If all the above checks out, then check with a command line tool like nslookup or dig if the IP addresses returned for the native DNS name of the CloudFront distribution match the IP addresses returned for the DNS name you're trying to use to access your site. This is just to make sure the request is actually being sent to CloudFront and not to any earlier location where DNS might still be pointing.

EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thank you for your suggestions. I’ve reviewed the settings in ACM, CloudFront, and Route 53 and didn’t find any missing configurations or linking issues. However, when testing with the nslookup tool, I noticed a discrepancy: the CloudFront distribution and my hosted zone resolve to different IPs, with CloudFront returning an additional 8 IPv6 addresses. I’d appreciate any further guidance on resolving this.

  • I suggest you use nslookup to check if the NS records (name server) match the name servers shown in the hosted zone properties by Route 53. Usually, nslookup accepts a command like "set q=NS" to query name server records specifically. On Windows, you can run nslookup -q=NS mydomain.com. to find the name servers. If the NS records returned by nslookup do not include any of the server names shown by Route 53 for the hosted zone, then you should check which name servers you've delegated your domain to with your domain name registrar, such as Route 53 Domains, Namecheap.com, or similar.

  • Thanks for the suggestion. I tried the commands, and they match the name servers in the NS records of the hosted zone in Route 53. Both IPv4 and IPv6 addresses resolve as expected, so the setup appears to be correct. However, the issue still persists. Any further suggestions or insights would be greatly appreciated.

  • Which browser are you using when you're receiving the error message? Could you check in its Help / About Google Chrome menu or similar product-specific menu if you're running the latest version, and could you also test with another browser? For example, if you're testing with Microsoft Edge, try Google Chrome, or the other way around, or try another Chromium-based browser, such as Brave.

  • I am trying with Google Chrome (Version 129.0.6668.100 (Official Build) (64-bit)). Additionally, tried it in the Edge and got this error message ---

    This server could not prove that it is [domain name]; its security certificate expired 94 days ago. This may be caused by a misconfiguration or an attacker intercepting your connection. Your computer's clock is currently set to Wednesday, October 30, 2024. Does that look right? If not, you should correct your system's clock and then refresh this page.----

    Then checked the ACM Certificate expiry date and it looks like this in the Details section of the certificate: Not after September 11, 2025, 18:59:59 (UTC-05:00)

    Any further suggestions or insights would be greatly appreciated.

0
Accepted Answer

The issue has been resolved.

The root cause was that the domain name was still attached to an old CloudFront distribution in a different AWS account. A few months ago, we transferred the hosted zone to the current AWS account, but the old CloudFront distribution in the previous account (AAAAAAVPX96QQ) was still referencing www.kloudbay.com. Once we removed the old CloudFront reference, everything started working as expected.

Now, the new AWS account owns the hosted zone (kloudbay.com) and has its own CloudFront distribution (AAAAAAAAAA5WHMHD) correctly set up for www.kloudbay.com.

Sharing this here in case it helps someone in the future. Thank you all for your support—I truly appreciate it!

answered 17 days ago
0

It sounds like you either imported a certificate you generated or obtained from elsewhere into ACM, rather than ACM generating a certificate for you, or you aren't connecting to your CloudFront distribution but to an intermediate network device. For example, there are corporate environments that use a firewall or proxy server to intercept TLS connections and decrypt them for content inspection on the firewall. In that case, your computer wouldn't see the certificate coming from CloudFront but a fake certificate coming from the corporate firewall or other traffic-intercepting device.

The error message said on October 30th that the server's certificate had expired 94 days ago, on July 28th, and that clearly isn't the certificate from ACM that CloudFront is using with an expiration date in September of 2025.

Are you using your own, personal computer connected to your home internet connection, or is your computer behind a firewall or using some VPN or other corporate networking or tunnelling solution?

EXPERT
answered a month ago
  • We're using the AWS platform for generating certificates, hosting our website, and providing CDN services. We use ACM for certificate management, Route 53 for hosting, and CloudFront (with the ACM certificate attached to a distribution) as our CDN. Our entire infrastructure, including apps and databases, runs on AWS—we’re an AWS-focused operation.

    I'm accessing the setup from my personal laptop and mobile phone, with no special configurations like VPN. I've double-checked the certificate expiration date and number, and both are correct. I also verified that the certificate attached to the CloudFront distribution matches the intended one.

    Thanks again for all your help and suggestions. I’m hitting a wall here, so any further guidance would be greatly appreciated.

  • Your browser said on October 30th that the certificate had expired 94 days ago, on July 28th, while the expiration date shown in ACM is in September of 2025. That seems to mean that you aren't arriving at the expected CloudFront distribution, or you have a configuration error that you didn't notice, or some software on your client device is terminating the TLS connection, as various security tools do in order to inspect the traffic contents. Is this site sensitive or could you share its URL, so we could see the certificate it's serving from a regular client device?

  • To access the CloudFront distribution from the domain kloudbay.com, I verified the A (Alias) record in the Route 53 hosted zone configuration, pointing it to [CloudFront Distribution ID].cloudfront.net. I'm accessing the site from a personal laptop. The site isn't sensitive, so you can visit it at https://kloudbay.com. Thank you once again for all your help and suggestions. I'm at a bit of an impasse, so any additional guidance would be greatly appreciated.

0

The certificate attached to your CloudFront distribution was issued by ACM on June 30th, 2023. The certificate expired 13 months later on July 30th, 2024. The error message the browser shows about the certificate being expired is correct, so the problem is in your CloudFront configuration:

Certificate on Nov 2

I suggest you open the properties of your CloudFront distribution in the management console. In the middle of the General tab, there should be a link to the "Custom certificate" attached to your distribution. Clicking it will take you to ACM and show the exact certificate that is actually used by CloudFront. I'm sure you'll see on that screen that the Status shows as "Expired" and the dates match my screenshot.

In the ACM console, still in the us-east-1 (N. Virginia) region, click "Request certificate" on the left. Select "Request a public certificate". On the next screen, enter kloudbay.com in the text box, then click "Add another name to the certificate" and enter the wildcard name *.kloudbay.com, which will allow using the www. variant of the name. Choose "DNS validation - recommended" (and not email validation) as the validation method, and change the key algorithm to "ECDSA P 256". Click Request at the bottom of the screen.

When the request has been made, click the "View certificate" button in the notification bar at the top of the screen. It will show the CNAME record you need to validate the certificate request. You can click the "Create records in Route 53" button to create the record automatically, if the Route 53 hosted zone is in the same account, or if the zone is in a different account, you'll have to add the CNAME record the console shows manually.

Capture the 36-character dashed hexadecimal "Identifier" of the certificate before proceeding to the next step.

When the certificate shows the status "Issued", open the CloudFront console and open your distribution. On the General tab, click the Edit button. In the dropdown menu "Custom SSL certificate - optional", choose the new certificate you just created based on its 36-character ID. While you're making the changes anyway, I suggest that from the "Security policy" list, you choose "TLSv1.2_2021 (recommended)". You should also ensure that IPv6 is set to "On". Click Save changes.

Deploying the configuration changes can take a while, often on the order of 10 minutes. The distribution list in the CloudFront console will show "Deploying" as long as the updates are in progress. Once the Status changes from "Deploying" to "Enabled", it's all done.

When you test, you should see that your site is working fine.

Finally, you should add an AAAA alias record for your site in the Route 53 hosted zone and point it to the same CloudFront distribution. This allows the rapidly increasing number of users on IPv6 networks to access your site without their internet operator having to translate their addresses to the legacy IPv4 address space.

In the ACM console, you should also find the old, expired certificate. Open the certificate details and make sure no "associated resources" are shown. Click "Delete" at the top right-hand corner to dispose of the expired certificate that serves no purpose.

EXPERT
answered a month ago
  • I’ve tried all the steps above, but no luck so far. My certificate displays the new expiration date of December 04, 2025, 17:59:59 (UTC-06:00). It’s attached to the CloudFront distribution, and the CNAME record for the distribution is correctly configured. Thank you again for all your help and suggestions—I'm at a bit of a standstill, so any further guidance would be greatly appreciated.

  • Your CloudFront distribution is still using the same, expired certificate as before. You may have requested a new certificate, and it may or may not have been issued (which you said nothing about), but you didn't change your CloudFront distribution to use it. Check first that the certificate is in the "Issued" status and if it is, proceed according to the instructions I gave from the paragraph that starts with, "Capture the 36-character dashed hexadecimal 'Identifier'..."

  • I believe these settings are configured correctly. Please see the screenshots below for reference. Thank you once again for all your help and suggestions—I'm at a bit of a standstill, so any additional guidance would be greatly appreciated.

0

ACM certificate for kloudbay.com screenshot 1

ACM certificate for kloudbay.com screenshot 2

answered a month ago
  • The certificate looks quite correct, but it is not the certificate that is configured for use by the CloudFront distribution to which the DNS name kloudbay.com points. I suggest you find the Route 53 hosted zone whose zone properties show the DNS servers ns-48.awsdns-06.com, ns-712.awsdns-25.net, ns-1193.awsdns-21.org, and ns-1908.awsdns-46.co.uk, and check where the A record for kloudbay.com points. If it looks correct to you, please share screenshots of the zone properties and the A record, with any sensitive data redacted.

  • Once you've found the DNS name of the CloudFront distribution to which the A alias record is pointing, find the matching distribution in the CloudFront console. Open the distribution and click the link in the console to the TLS certificate that is attached. This shows which exact ACM certificate is in use.

0

It is the same certificate (ending with 505d94) is configured for cloud front distribution(E3JOIUT5B0SNZG), verified that. Following your suggested steps earlier, created this certificate and if you observed the screenshot, the Associated Resources section shows the cloud front distribution ARN (E3JOIUT5B0SNZG). Screenshot of the cloud front distribution settings screenshot of the cloud front distribution settings

Verified the DNS servers, they are configured correctly. And screenshot of A record in Route 53 hosted zone configuration which looks correct. Screenshot of A record in Route 53 hosted zone configuration.

Also the cloud front distribution details, screenshot below Enter image description here

Thank you again for all your help and suggestions. I’m at a bit of a standstill, so any further guidance would be greatly appreciated.

answered a month ago
  • Please share a screenshot of the "hosted zone details" of the Route 53 public hosted zone that contains the A record in your screenshot. You can redact the hosted zone ID; we only need to see the "Name servers" part -- and specifically the name servers shown under "hosted zone details" at the top of the console, not the NS records within the zone.

0

Screenshot below has the naming servers. naming servers

Thank you again for all your help and suggestions.

answered a month ago
0

The screenshots just don't match what is actually online on the internet. kloudbay.com and www.kloudbay.com point to a CloudFront distribution that serves an expired TLS certificate using a 2048-bit RSA certificate and not the new ECDSA certificate that shows as being attached to the CloudFront distribution your screenshots are showing.

The way this could happen is that the DNS name is pointing to a different CloudFront distribution, which has the expired certificate still attached.

I'm not sure if we can make any progress with reality and our discussed troubleshooting steps simply not matching, but you could still do a few things:

  1. Open the old, expired certificate in the ACM console and check if it shows any associated resources, particularly CloudFront distributions. If no associated resources are listed, delete the certificate from ACM. This will ensure we won't receive that specific certificate via CF.
  2. Get a single screenshot of the Route 53 hosted zone with both the hosted zone details and the alias records for kloudbay.com and www.kloudbay.com in the same screenshot. As usual, redact sensitive details.
  3. In the distribution list in the CloudFront console, make sure that the "Type" column shows "Production" and the "Status" as "Enabled" for your CF distribution.
  4. Add the name kloudbay.com (without a prefix) to the CF distribution's alternate DNS name list. The current pattern *.kloudbay.com will match www.kloudbay.com but not the plain name kloudbay.com.

If all is still okay, then temporarily, remove all the alternate names from the CloudFront distribution and detach the custom certificate from it. Wait for the distribution to get deployed. Modify the distribution again, attaching the custom certificate and adding the alternate names kloudbay.com and www.kloudbay.com (or *.kloudbay.com if you need other hostnames aside from www.). Wait for the distribution to finish getting deployed, and test if it works. It's unlikely that this is needed, but in the unlikely case that the configuration has gone out of sync somewhere along the way, this should cause the TLS configuration to get redeployed entirely.

EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions