How can I fully free up a certificate created via Lightsail?


All via Lightsail, I created an Instance, attached a Static IP to it, created a Distribution, then set a Custom Domain on the Distribution, creating a Certificate. I attached that Certificate to the Distribution and all was well. This was being done in an experimental fashion. Deciding I wanted to use a different type of Instance, I nuked everything. No more Instance, no more Distribution, etc...

BUT, when I try to create everything all over again, the Instance is created just fine. The Static IP is created fine and attached as well. The Distribution setup is a breeze. Everything is perfect, except for the final steps, pertaining to the Certificate.

When I create the Certificate, the system acts as though it was still hanging around because the DNS entries for validation are exactly the same as before. As a result, the certificate seems to become validated almost instantly, quicker than before. Then, when I try to attach the Certificate to the Distribution, it throws the following error:

AttachCertificateToDistribution[us-east-1] Alternative Domain Names [] have one or more parameter that is already associated with a different resource. InvalidInputException

In AWS Dashboard GUI for Lightsail, when picking a Certificate to attach to the Distribution, it says the Certificate is "Valid, not in use". But, still it throws this error.

So, I tried a different method where I made sure everything was detached and deleted via the AWS CLI. All seemed to be free and clear. Nothing hanging around that could be seen. I went through all of the normal steps that work via the AWS CLI to perform the same setup. Again, during the Certificate creation it seems to go much faster than usual, is instantly validated, and the validation CNAME record is the exact same as before. When I go to attach the Certificate via the AWS CLI, it gives this error:

An error occurred (InvalidInputException) when calling the AttachCertificateToDistribution operation: Alternative Domain Names [] have one or more parameter that is already associated with a different resource.

I feel like either the Distribution (though getting deleted) is still hanging around and is still attached to the domain OR the Certificate is hanging around and is somehow referencing what it used to be attached to (which I believe would be the CloudFront Distribution, which goes back to my feeling that the Distribution itself is still hanging around even though it has been nuked via Lightsail.)

Any idea what I can do to get this to move forward without having to just pick another domain to use? I'm concerned that I'm going to end up in this boat one day with something that's fully in production and I'll be stuck. Is this just the risk of using Lightsail versus putting in the extra effort to setting up the EC2 instance and other configurations outside of Lightsail?

3 Answers

If that is the case, please explore the "AWS Resource Explorer" to find out the resources under your account and delete unnecessary resource on by one. By the way some of the resources you have to disable first, and then delete those.

You can also find these useful links which may come to assistance.

Please let me know whether this information came any helpful.

answered a year ago

It sounds as though this might be an issue programmatically in the console, the InvalidInputException should be for form submission with the underlying API calls to attach the certificate to the distribution.

I would repeat you steps, but create your distribution with a name that wouldn't be in your certificate. e.g. - anything different from the common name or alternate name in the certificate itself.

Please let us know what you find out. Thanks!

answered a year ago
  1. To view and delete all of your Lightsail Certificates ( related to resources like Distribution and Container Service ) please visit this specific page of the Lightsail console :
  2. With regards to the certificate domain validation CNAME records being same, that is NOT due to any certificate being left behind, but instead because, for a fully qualified domain name (FQDN) the validation record remains the same for any certificate in your account to avoid the need to have to re-validate that FQDN for newer certificates with same FQDN or renewed certificate, etc.
  3. The above error indicates that some FQDN on the certificate is still in use with another resource and this can be a Lightsail load-balancer or container service in any AWS Region, or even be any resource in your account in another AWS service like Cloudfront, etc. Any chance of any such resource existing ?
profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions