Menu
I had imported a SSL certificate into AWS long time ago. It is currently installed on the ELB, and it is going to expire in 15 days. I am trying to get AWS to issue a new certificate but it is stuck waiting validation:
Currently Route53 is pointing to the ELB. If I enter "https://eyecloud.net.au" it works fine.
Now, I tried to create a CloudFront, so that I can redirect HTTP to HTTPS. But the imported SSL certificate does not show up:
I deleted the ELB, and the imported certificate becomes not in use, but it still doesn't show up on CloudFront.
550
The certificate you requested is displayed so that you can see the status of your request. After you write the DNS record or have ACM write the record for you, it typically takes DNS 30 minutes to propagate the record, and it might take several hours for Amazon to validate it and issue the certificate.
Open the AWS Certificate Manager console at https://console.aws.amazon.com/acm/home . Expand a certificate to view its details. Find the Renewal Status in the Details section. If you don't see the status, ACM hasn't started the managed renewal process for this certificate.
CloudFront supports the same certificate authorities that Mozilla does. For the current list, see Mozilla Included CA Certificate List . You can't use a self-signed certificate for HTTPS communication between CloudFront and your origin.
You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards.
My problem was, that I got generated a 4096 bit certificate, but Cloud Front only allows for 2048 bit certificates
CloudFront [...] with ACM support a maximum of 2048-bit RSA certificates
I created my certificate with ZeroSSL and I didn't manage to create a 2048 bit one. To do that, I installed Ubuntu on my Windows machine (needed to install the Windows Subsystem for Linux in the 'Turn Windows features on or off' section) and used Certbot for Ubuntu with this command to create a 2048 bit certificate while using dns validation:
certbot -d yourdomain -d www.yourdomain --manual --preferred-challenges dns certonly
The 4096 bit certificate didn't show up, but the new 2048 bit certificate did, after deleting the contents of the drop-down menu, like stated by @Gopgop. You can see what kind of encryption rate your certificate has when importing the certificate into AWS Certificate Manager, on the review and import page, "Public key info". If you create a new certificate with ACM, that one automatically has a 2048 bit encryption and can be used right away in Cloud Front.
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
