I tried to delete my ACM certificate but received an error that it's in use with other AWS resources
I want to delete an AWS Certificate Manager (ACM) certificate. However, I receive an error similar to "The certificate is in use (associated with other AWS resources) and cannot be deleted. Disassociate the certificate from each resource in the list and try again."
Short description
Deploying an edge-optimized API endpoint creates an Amazon CloudFront distribution by Amazon API Gateway. Deploying a Regional API endpoint creates an Application Load Balancer by API Gateway. The CloudFront distribution or Application Load Balancer is owned by API Gateway, not your account. The ACM certificate provided to deploy API Gateway is associated with the CloudFront distribution or Application Load Balancer.
Similarly, adding a custom domain to your Amazon Cognito user pool creates a CloudFront distribution. The CloudFront distribution is owned by the Amazon Cognito service, not by your account. The ACM certificate that's provided when you create the custom domain is associated with the CloudFront distribution.
Defining a custom endpoint for your domain in Amazon OpenSearch Service creates an Application Load Balancer. The Application Load Balancer is owned by the OpenSearch Service, not by your account. The ACM certificate that's provided when you create the custom endpoint is associated with the Application Load Balancer.
Note: You can check the resource that the ACM certificate is associated with by running the describe-certificate command with AWS Command Line Interface (AWS CLI).
Resolution
Remove the association of the ACM certificate with the CloudFront distribution or Application Load Balancer. To do this, you must replace the ACM certificate associated with the custom domain, or delete the custom domain.
Important:
- Before you begin, be sure that you have installed and configured the AWS CLI.
- If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
To remove the association of the ACM certificate, do one of the following:
- To replace the ACM certificate for API Gateway, see Rotate a certificate imported into ACM.
- To replace the ACM certificate for Amazon Cognito, see Changing the SSL certificate for your custom domain.
- To delete the custom domain name for API Gateway, run the AWS command delete-domain-name.
- To delete the custom domain name for Amazon Cognito, run the AWS command delete-user-pool-domain.
- To update the ACM certificate for Amazon ES, see Creating a custom endpoint for Amazon OpenSearch Service.
Then, delete the ACM certificate.
Related information
My SAM stack delete has just failed because a Certificate cannot be deleted because it has an "associated resource" pointing to the Cloud Front distribution that I created in the same stack. The Cloud Front distribution has been marked as successfully deleted. It's already been 2 days and the Certificate still thinks there is an associated resource. Any ideas what to do in this scenario?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Contenido relevante
- OFICIAL DE AWSActualizada hace 5 meses
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 4 meses