cloudonaut
Home Blog Podcast Books & Video Courses
Subscribe

Pitfall: ACM Certificate with CloudFormation

Andreas Wittig – 06 Sep 2016

Good news, CloudFormation added support for AWS Certificate Manager recently. Creating a CloudFront distribution which is using an ACM certificate is finally possible with CloudFromation as well.

The following listing shows the definition of an ACM certificate as well as its usage within a CloudFront distribution.

"Certificate" : {
  "Type": "AWS::CertificateManager::Certificate",
  "Properties": {
    "DomainName": "example.com",
    "DomainValidationOptions": [{
      "DomainName": "example.com",
      "ValidationDomain": "example.com"
    }]
  }
},
"Distribution": {
  "Type": "AWS::CloudFront::Distribution",
  "Properties": {
    "DistributionConfig": {
      "Aliases": "example.com",
      "ViewerCertificate": {
        "AcmCertificateArn": {"Ref": "Certificate"},
        "SslSupportMethod": "sni-only"
      },
      [...]
    }
  }
}

Sounds great so far. Nevertheless, I struggled to create a stack containing the ACM certificate and a CloudFront distribution.

Andreas and Michael Wittig

Hej, Andreas & Michael here!

We launched the cloudonaut blog in 2015. Since then, we have published 325 articles: small tips and tricks, best practices, and service reviews. We enjoy writing about all things AWS a lot.

Do you like our blog posts and podcast episodes? Have you learned something new? Consider supporting us create in-depth and independent AWS content. Please help us with a monthly or one-time payment through GitHub Sponsors.

Start supporting us today!

CloudFormation reported the following error:

CREATE_FAILED    AWS::CloudFront::Distribution    Distribution    The specified SSL certificate doesn't exist, isn't valid, or doesn't include a valid certificate chain.

It took me some time to figure out the reason: I tried to create the stack in eu-west-1. But the ACM certificate needs to be created in us-east-1 when used together with CloudFront. So one possible solution was to create the CloudFormation stack in us-east-1. Lesson learned! :)

Published on

Tags: aws cloudformation cloudfront ssl tls
Andreas Wittig

Andreas Wittig

I'm an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I'm writing this blog and all other projects together with my brother Michael.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

Feedback? Questions? Drop me a line: Email, Twitter, LinkedIn.

Briefcase icon
Hire me

Further reading