Pitfall: ACM Certificate with CloudFormation

Good news, CloudFormation added support for AWS Certificate Manager recently. Creating a CloudFront distribution which is using an ACM certificate is finally possible with CloudFromation as well.

The following listing shows the definition of an ACM certificate as well as its usage within a CloudFront distribution.

"Certificate" : {
"Type": "AWS::CertificateManager::Certificate",
"Properties": {
"DomainName": "example.com",
"DomainValidationOptions": [{
"DomainName": "example.com",
"ValidationDomain": "example.com"
}]
}
},
"Distribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Aliases": "example.com",
"ViewerCertificate": {
"AcmCertificateArn": {"Ref": "Certificate"},
"SslSupportMethod": "sni-only"
},
[...]
}
}
}

Sounds great so far. Nevertheless, I struggled to create a stack containing the ACM certificate and a CloudFront distribution.

CloudFormation reported the following error:

CREATE_FAILED AWS::CloudFront::Distribution Distribution The specified SSL certificate doesn't exist, isn't valid, or doesn't include a valid certificate chain.

It took me some time to figure out the reason: I tried to create the stack in eu-west-1. But the ACM certificate needs to be created in us-east-1 when used together with CloudFront. So one possible solution was to create the CloudFormation stack in us-east-1. Lesson learned! :)

Published on


Andreas Wittig

Andreas Wittig

I’m the author of Amazon Web Services in Action. I work as a software engineer, and independent consultant focused on AWS and DevOps.

Is anything missing in my article? I'm looking forward to your feedback! @andreaswittig or andreas@widdix.de.

Amazon Web Services in Action

Amazon Web Services in Action introduces you to computing, storing, and networking in the AWS cloud.

Customer Reviews:

Subscribe to free monthly updates by email.


Subscribe for free