Pitfall: ACM Certificate with CloudFormation

Good news, CloudFormation added support for AWS Certificate Manager recently. Creating a CloudFront distribution which is using an ACM certificate is finally possible with CloudFromation as well.

The following listing shows the definition of an ACM certificate as well as its usage within a CloudFront distribution.

"Certificate" : {
  "Type": "AWS::CertificateManager::Certificate",
  "Properties": {
    "DomainName": "example.com",
    "DomainValidationOptions": [{
      "DomainName": "example.com",
      "ValidationDomain": "example.com"
    }]
  }
},
"Distribution": {
  "Type": "AWS::CloudFront::Distribution",
  "Properties": {
    "DistributionConfig": {
      "Aliases": "example.com",
      "ViewerCertificate": {
        "AcmCertificateArn": {"Ref": "Certificate"},
        "SslSupportMethod": "sni-only"
      },
      [...]
    }
  }
}

Sounds great so far. Nevertheless, I struggled to create a stack containing the ACM certificate and a CloudFront distribution.

CloudFormation reported the following error:

CREATE_FAILED    AWS::CloudFront::Distribution    Distribution    The specified SSL certificate doesn't exist, isn't valid, or doesn't include a valid certificate chain.

It took me some time to figure out the reason: I tried to create the stack in eu-west-1. But the ACM certificate needs to be created in us-east-1 when used together with CloudFront. So one possible solution was to create the CloudFormation stack in us-east-1. Lesson learned! :)

Read on


Share

           

RSS

  RSS

Newsletter


Andreas Wittig

Andreas Wittig

I’m the author of Amazon Web Services in Action. I work as a software engineer, and independent consultant focused on AWS and DevOps. Hire me!

Is anything missing in my article? I'm looking forward to your feedback! @andreaswittig or andreas@widdix.de.


Published on
Tagged with AWS, CloudFormation, CloudFront, SSL,