En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Import cert to ACM: certificate field contains more than one certificate

0

Hi,

I'm trying to import some ssl certificates in PEM format into AWS ACM via aws cli. The certificates import fine when using the aws web console, but when trying to import the same files with aws cli using the following command:

aws acm import-certificate --certificate ssl.website.com.crt --private-key ssl.website.com.key --certificate-chain ssl.website.com.ca --region us-east-2 --profile default

I get this error:

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

I'm no expert with openssl, but AFAICS there's only one certificate on the pem file, there's only one BEGIN/END CERTIFICATE section. I found this command on this stackoverflow post to print the certificates on a pem file, and I only see one certificate in its output:

openssl crl2pkcs7 -nocrl -certfile ssl.website.com.crt | openssl pkcs7 -print_certs -noout
subject=OU = Domain Control Validated, CN = website.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

So why I cannot import this this certificate via cli ?

Sujets
Gestion et gouvernance
Balises
Interface à ligne de commande AWS
Langue
English
jbaptiste
demandé il y a 4 ans2892 vues
3 réponses
0

This can happen if you are submitting a pem that contains the complete certificate chain in the certificate body. Do you have any options when you are doing the CSR generation about excluding the certificate chain (and intermediate and root certs) from the certificate? This should ensure that they are only listed in the certificate chain.

AWS-User-7137110
répondu il y a 4 ans
0

Unfortunately I don't have access to the CSR files, we are receiving an existing infrastructure developed by another contractor. I only have access to the certificate files on the web server.

But why the same files work on the web console and they fail with the cli ? is this limitation present only on the cli tool ?

And how can I check the list of certificates inside my pem cert file ? I'm no openssl expert, but I only see one CERTIFICATE BEGIN/END section on the file, if there were multiple certificates in the file shouldn't there be multiple CERTIFICATE BEGIN/END sections ?

Thanks.

jbaptiste
répondu il y a 4 ans
0

The issue was solved with the help of aws support. The certificate file was fine, the issue was that not all aws cli documentation is consistent. I was looking at:

https://docs.aws.amazon.com/cli/latest/reference/acm/import-certificate.html

Where it does not mention that parameters values must be preceded by "file://"

aws acm import-certificate --certificate file://ssl.website.com.crt --private-key file://ssl.website.com.key --certificate-chain file://ssl.website.com.ca --region us-east-2 --profile default
jbaptiste
répondu il y a 4 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents