📣 cloudonaut plus: 2 months for free with the yearly subscription

📣 plus: 2 months for free with the yearly subscription

cloudonaut
Home Blog Podcast Plus Books & Videos
Subscribe Plus

Pitfall: ACM Certificate with CloudFormation

Andreas Wittig – 06 Sep 2016

Good news, CloudFormation added support for AWS Certificate Manager recently. Creating a CloudFront distribution which is using an ACM certificate is finally possible with CloudFromation as well.

The following listing shows the definition of an ACM certificate as well as its usage within a CloudFront distribution.

"Certificate" : {
  "Type": "AWS::CertificateManager::Certificate",
  "Properties": {
    "DomainName": "example.com",
    "DomainValidationOptions": [{
      "DomainName": "example.com",
      "ValidationDomain": "example.com"
    }]
  }
},
"Distribution": {
  "Type": "AWS::CloudFront::Distribution",
  "Properties": {
    "DistributionConfig": {
      "Aliases": "example.com",
      "ViewerCertificate": {
        "AcmCertificateArn": {"Ref": "Certificate"},
        "SslSupportMethod": "sni-only"
      },
      [...]
    }
  }
}

Sounds great so far. Nevertheless, I struggled to create a stack containing the ACM certificate and a CloudFront distribution.

cloudonaut plus

Staying ahead of the game with Amazon Web Services (AWS) is a challenge. Our weekly videos and online events provide independent insights into the world of cloud. Subscribe to cloudonaut plus to get access to our exclusive videos and online events.

Subscribe now!

CloudFormation reported the following error:

CREATE_FAILED    AWS::CloudFront::Distribution    Distribution    The specified SSL certificate doesn't exist, isn't valid, or doesn't include a valid certificate chain.

It took me some time to figure out the reason: I tried to create the stack in eu-west-1. But the ACM certificate needs to be created in us-east-1 when used together with CloudFront. So one possible solution was to create the CloudFormation stack in us-east-1. Lesson learned! :)

Published on

Tags: aws cloudformation cloudfront ssl tls
Andreas Wittig

Andreas Wittig

I'm an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I'm writing this blog and all other projects together with my brother Michael.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

You can contact me via Email, Twitter, and LinkedIn.

Briefcase icon
Hire me

Further reading