cloudonaut
Home Blog Podcast Books & Video Courses Support us
Subscribe

Pitfall: ACM Certificate with CloudFormation

Andreas Wittig – 06 Sep 2016

Good news, CloudFormation added support for AWS Certificate Manager recently. Creating a CloudFront distribution which is using an ACM certificate is finally possible with CloudFromation as well.

The following listing shows the definition of an ACM certificate as well as its usage within a CloudFront distribution.

"Certificate" : {
  "Type": "AWS::CertificateManager::Certificate",
  "Properties": {
    "DomainName": "example.com",
    "DomainValidationOptions": [{
      "DomainName": "example.com",
      "ValidationDomain": "example.com"
    }]
  }
},
"Distribution": {
  "Type": "AWS::CloudFront::Distribution",
  "Properties": {
    "DistributionConfig": {
      "Aliases": "example.com",
      "ViewerCertificate": {
        "AcmCertificateArn": {"Ref": "Certificate"},
        "SslSupportMethod": "sni-only"
      },
      [...]
    }
  }
}

Sounds great so far. Nevertheless, I struggled to create a stack containing the ACM certificate and a CloudFront distribution.

Andreas and Michael Wittig

Please support our work!

We have published 327 articles, 41 podcast episodes, and 15 videos. It's all free and means a lot of work in our spare time.

Thanks to Alan Leech, Alex DeBrie, e9e4e5f0faef, Goran Opacic, jhoadley, Shawn Tolidano, Thorsten Hoeger, Todd Valentine, Vince Fulco, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt. It gives us great pleasure to send our t-shirts all over the world.

With your help, we can continue to produce independent & high-quality content focused on AWS. Please support us!

Support us

CloudFormation reported the following error:

CREATE_FAILED    AWS::CloudFront::Distribution    Distribution    The specified SSL certificate doesn't exist, isn't valid, or doesn't include a valid certificate chain.

It took me some time to figure out the reason: I tried to create the stack in eu-west-1. But the ACM certificate needs to be created in us-east-1 when used together with CloudFront. So one possible solution was to create the CloudFormation stack in us-east-1. Lesson learned! :)

Written by Andreas Wittig on

Tags: aws cloudformation cloudfront ssl tls
Andreas Wittig

Andreas Wittig

I launched cloudonaut.io in 2015 with my brother Michael. Since then, we have published hundreds of articles, podcast episodes, and videos. It’s all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.
Have you learned something new by reading, listening, or watching our content? If so, we kindly ask you to support us in producing high-quality & independent AWS content. We look forward to sharing our AWS knowledge with you.

Support us

Feedback? Questions? You can reach me via Email, Twitter, or LinkedIn.

Further reading