- Newest
- Most votes
- Most comments
The error message you're encountering suggests that CloudFront is not recognizing your DigiCert wildcard certificate as trusted, despite DigiCert being a well-known trusted Certificate Authority. There are a few potential reasons for this issue and steps you can take to resolve it:
-
Certificate Chain: Ensure that you've uploaded the entire certificate chain, including any intermediate certificates from DigiCert, not just the main certificate. CloudFront requires the complete chain to validate the certificate's trust.
-
Region: CloudFront is particular about the region where certificates are uploaded. Make sure you've imported the certificate into AWS Certificate Manager (ACM) in the US East (N. Virginia) region, also known as us-east-1. This is a requirement for using custom SSL certificates with CloudFront.
-
Certificate Format: Verify that the certificate is correctly formatted and not corrupted during the import process.
-
Expiration: Check that the certificate is not expired and is still valid.
If you've confirmed all of these points and are still experiencing issues, you might consider using AWS Certificate Manager (ACM) to issue a new certificate for your domains. ACM-issued certificates are automatically trusted by CloudFront, are free of charge, and offer benefits like automatic renewal.
To use an ACM-issued certificate:
- Request a new certificate through ACM in the us-east-1 region.
- Validate domain ownership by adding the required CNAME records to your DNS.
- Once issued, attach the ACM certificate to your CloudFront distribution.
If you prefer to use your DigiCert certificate and the above steps don't resolve the issue, you may need to contact AWS Support for further assistance in diagnosing the problem with your specific certificate.
Sources
Cant attach certificate in cloudfront | AWS re:Post
Troubleshooting distribution issues - Amazon CloudFront
AWS private certificate issue | AWS re:Post
Relevant content
- asked 2 years ago
- asked 5 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
This helped, it was the first item about the cert chain. I didn't realize I could include the whole chain in the "Certificate chain - optional" field when imported the certificate.