I can't delete my certificate because it's associated with an invisible cloudfront distribution

Question

I have a certificate in AWS Certificate manager that I would like to delete (I need to recreate it to include a root domain). When I try to delete it, I get an error saying that it is associated with a Cloudfront distribution and cannot be deleted. However, in Cloudfront, I have no distributions listed. How can dissociate the certificate from the resource?

I found [a similar question](https://repost.aws/questions/QULlj4oakQRcWrSDRTcro15Q/certificate-is-associated-with-an-arn-aws-cloudfront-xxxxx-xxxx-that-cannot-be-found) and looked for API Gateway resources. I found one and it had a custom domain name similar to the certificate. I've deleted both the custom domain and the API Gateway and they're no longer listed in API Gateway interface, but I'm still not able to delete the certificate because it's associated with this unknown cloudfront resource.
![Enter image description here](/media/postImages/original/IM8aPsWBWwQ3yIGB63yfrchw)
![Enter image description here](/media/postImages/original/IMpoGlRChEQ8eGRpbiCV08kQ)

Accepted Answer

After some time passed, I was able to delete the certificate. It seems that deleting the API Gateway was indeed the cause of the error, and it simply needed some additional time to pass after deletion before I could delete the associated certificate.

Answer

Yep API GW edge-optimised APIs are accessed through a CloudFront distribution you don't own - it's in an AWS-managed account.  It will use your cert though as you've seen.  "aws apigateway get-domain-names" can be used to see the distribution domain names.

Answer

Hello Ben,

From your question I have understood that you are unable to find an ACM certificate and the associations with it. You were correct that to delete a certificate that is in use, you must first remove the certificate association. This can be done using the console or CLI for the associated service. I will link a general guide below: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html

Answer

I'm facing the same issue, it's been 1 day already since I deleted the associated API gateway custom domain. The certificate still seems to be associated to some resources that does not exist in my account, this is what i see:

Associated resources (3)

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-104/87ea7bd28e18ef45

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-793/dd9eb9379f71a0ba

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-862/56fc8591797a2875

This shown account id is not mine.

I can't delete my certificate because it's associated with an invisible cloudfront distribution

関連するコンテンツ