Can not attach a created certificate into my lightsail distribution

0

I had a Lightsail instance "instance" followed by creating a static IP address and a distribution + SSL certificate for this distribution. Then I used a domain name to point to the CNAME entries provided by this SSL certificate. I am able to access the app of this instance via the given cloudfront address with HTTPS protocol.

The problem I have is that whenever I try to enable the custom domain for this distribution I get the following error:

"AttachCertificateToDistribution[us-east-1]

Alternate Domain Names [x,y] have one or more parameter that is already associated with a different resource.

InvalidInputException"

so, I can access the instance with (for example) https://d827Of.cloudfront.net. But I can not access the https://customdomainname, because my certificate is not attached.

So, what do I need to do to enable custom domain with this Lightsail distribution?

3 Answers
3

Hi Leonardo,

Please go through the below steps, I hope it helps to resolve your issue.

1. Check for Existing Associations

First, verify that your custom domain is not already associated with another AWS resource. You can do this by:

AWS Certificate Manager (ACM) Check:

  • Navigate to the ACM console.
  • Find the certificate for your custom domain and check if it's already associated with another CloudFront distribution or Elastic Load Balancer.

CloudFront Distributions Check:

  • Go to the CloudFront console.
  • Check all your CloudFront distributions to see if any of them are using the custom domain as an Alternate Domain Name (CNAME).

2. Disassociate the Custom Domain if Needed

If you find that your custom domain is already associated with another resource, you need to disassociate it:

Disassociate from ACM:

  • If the domain is associated with another certificate, you might need to delete that association or the certificate itself if it's no longer needed.

Update CloudFront Distribution:

  • Remove the custom domain from any other CloudFront distribution's Alternate Domain Names settings.

3. Attach the SSL Certificate to the Lightsail Distribution

  • Once you've ensured that the custom domain is not associated with any other resource, proceed to attach the SSL certificate to your Lightsail distribution

Lightsail Console:

  • Navigate to the Lightsail console.
  • Select the distribution you want to configure.

Attach Custom Domain and SSL Certificate:

  • In the distribution settings, go to the section for custom domains.
  • Attach the SSL certificate associated with your custom domain.

4. Update DNS Settings

Ensure your DNS settings are correctly configured to point to your Lightsail distribution:

CNAME Record:

  • In your DNS provider's console, create a CNAME record for your custom domain pointing to the CloudFront distribution URL (e.g., d827Of.cloudfront.net).

Propagation Time:

  • Note that DNS changes can take some time to propagate, so allow up to 24-48 hours for the changes to take effect.

Example Steps

Here's a more concrete example of these steps:

Verify Domain Ownership:

  • In ACM, make sure the certificate for customdomainname is validated and not associated with another resource.

Disassociate Old Resources:

  • In the CloudFront console, check if customdomainname is associated with any other distributions and remove it if necessary.

Attach Certificate to Lightsail Distribution:

  • Go to the Lightsail console.
  • Select your distribution, then navigate to the custom domains section.
  • Attach the previously validated SSL certificate for customdomainname.

Update DNS:

In your DNS management console (e.g., Route 53 or another DNS provider), create a CNAME record:

Name: customdomainname
Type: CNAME
Value: d827Of.cloudfront.net

Troubleshooting Tips

  • Double-Check ACM and CloudFront: Ensure there are no lingering associations with the custom domain.
  • DNS Propagation: DNS changes might take time to propagate. Use tools like dig or nslookup to verify the DNS record updates.

https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-validating-a-distribution-certificate.html

EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • I saw that my certificate is associated with a non existent CloudFront distribution: arn:aws:cloudfront::718770453195:distribution/E27R3ZHH2C499H

    but I have nothing into CloudFront, how can I remove It?

1
Accepted Answer

Hi,

You seem to be using API Gateway's edge optimized custom domain name with some shared domain-name same as the one listed on your Lightsail certificate. That is what is being referred to by the ACM certificate in your account.

Please find more information below:

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-edge-optimized-custom-domain-name.html#how-to-custom-domain-log-cloudfront-distribution-update-in-cloudtrail

Because these CloudFront distributions are owned by API Gateway, each of these reported CloudFront distributions is identified by one of the following Region-specific API Gateway account IDs, instead of the API owner's account ID.

Region Account ID
us-east-2 718770453195

You will need to pick one of out of these two ways and services to serve content for that domain-name and delete the second not required certificate and resources.

Thanks.

profile pictureAWS
EXPERT
AWS-SUM
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • This worked! Thank you. I was not aware of the API Gateway distributions. After removing it, the relationship with ACM was removed. Following this, I no longer encountered any errors when attaching the certificate on Lightsail.

  • No problem. Glad it worked out!

0

Here is the Documentation for setting up Distributions for Lightsail

https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-content-delivery-network-distributions.html#configure-distribution

Make sure that you have followed the order of the steps -- step 3 Create a Lightsail distribution and then step 6 Create a Lightsail SSL/TLS certificate. If you click into the detail in step 6 (Create SSL/TLS certificates for your distribution) you will notice the following in the top paragraph.

When you enable custom domains for your distribution, and choose the certificate, those domains are added as the custom domains of your distribution.

Give your error, it sounds like you do not have the necessary domains in your cert (the distribution and your custom domain).

Hope this helps.

profile pictureAWS
EXPERT
iBehr
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • I do not have any issue creating DNS Zone and my certificate, all validation with CNAME records works. My issue is when try to attach this into my distribution custom domains. Checking my ACM I saw that there is a cloudFront instace related with the domain that I just create the certificate, but on my CloudFrond dashboard I do not have any instance listed.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions