Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Certificate Reimport reflection on CloudFront

As my SSL certificate expired, I've received the renewal from the certificate authority and reimported on AWS Certificate Manager console and it promptly changed from Expired back to Issued. It is directly linked to a CloudFront distribution and it looks like after a while won't reflect that very change. I've then checked it's SSL Certificate Identifier which matches the correct ACM entry. I've invalidated all the cache after that to make sure it would reflect even on a anonymous window but there is no luck just yet.

I was unable to find on AWS documentation if it would take several hours to reflect or any other action is required in order to get it working. One thing I didn't try was to clear local browser cache as I understand that several users depend on that and somehow I'd like this update to be transparent to all of them.

I appreciate any clues or tips on this matter.

like image 236
fagiani Avatar asked Oct 09 '17 14:10

fagiani


2 Answers

I was able to get the new certificate transparently reflected to users by going to the CloudFront distribution and setting the SSL Certificate value to the Default SSL CloudFront Certificate (*.cloudfront.net) then after deploy and propagation, re-selected the Custom SSL Certificate (example.com) from ACM.

Hope it helps anyone on the same situation in the future.

like image 75
fagiani Avatar answered Oct 11 '22 20:10

fagiani


If your certificate has already expired, importing the renewed certificate as a new one and switching to it in the CloudFront distribution settings is the quickest way to fix the problem. But if you still have some time left before it expires, reimporting is the correct way. The benefit is that if you use it in more than one place, e.g. using the same wildcard certificate in multiple distributions, you don't have to go and change it multiple times. In my case, I reimported it and checked back 12 hours later and CloudFront had already applied it.

like image 26
Iamz Avatar answered Oct 11 '22 20:10

Iamz