How do I resolve ACM certificate errors that occur when I used HTTPS to access my website?

5 minute read
0

I used a certificate from AWS Certificate Manager (ACM) to access my website over a HTTPS connection. However, I received error messages that the connection isn't secure, private, or trusted.

Short description

If you use HTTPS connections for your website, then a SSL/TLS certificate is required. When your browser accesses the website, all the data fields in the server certificate must be valid. Your browser identifies data fields that aren't valid as an insecure connection.

You might receive a certificate error message in the following scenarios:

  • The certificate isn't valid for the name of the server.
  • The certificate is expired.
  • The SSL/TLS certificate for the website isn't trusted.
  • Your connection isn't fully secured.
  • The certificate isn't associated with a supported AWS service.
  • HTTP traffic isn't redirected to HTTPS.
  • Your website or application uses a pinned certificate.
  • Certificate transparency logging isn't turned on.

Resolution

The certificate isn't valid for the name of the server

Check the domain that your clients accessed, and then check the domain names that are included in your server certificate. Use your browser to view the domain name and check the certificate details. The domain in the URL must match at least one of the domain names that's included in the certificate. If you use a wildcard name (*), then the wildcard matches only one subdomain level. For example, *.example.com can protect login.example.com and test.example.com, but the wildcard can't protect test.login.example.com or example.com.

If clients can use example.com and www.example.com to access your website, then add multiple domain names to your certificate. The added domain names cover other possible domain and subdomain names for your website. For more information, see ACM certificate characteristics.

The certificate is expired

If you use a certificate that ACM issued, then ACM tries to automatically renew the certificate. If the certificate is expired, then you must issue or import a new certificate. After a new certificate is issued, confirm that your DNS records point to the AWS resource where the ACM certificate is used. For more information, see Troubleshooting managed certificate renewal.

The SSL/TLS certificate for the website isn't trusted

Public certificates that ACM issues are trusted by most modern browsers, operating systems, and mobile devices. Update your browser to the latest version, or try to access the domain from a different computer and browser. If you used ACM to import a self-signed or public-issued certificate, then some browsers don't trust the certificate.

To resolve this error, use ACM to request a public certificate, or contact your certificate authority (CA).

Your connection isn't fully secured

If an initial request and parts of the website are established over HTTPS and other parts are established over HTTP, then mixed content can occur. With mixed content, clients that access your website see the error message "Your connection is not fully secured". This is because website elements in your source code use HTTP instead of HTTPS.

To resolve this error, update your source code to load all the resources on your website over HTTPS.

The certificate isn't associated with a supported AWS service

You can't install ACM certificates or private AWS Private CA certificates directly on your AWS based website or application. ACM certificates must be configured with supported AWS services. For more information, see Services integrated with ACM.

HTTP traffic isn't redirected to HTTPS

Websites configured with ACM certificates use HTTP traffic for access. You can use an Application Load Balancer to redirect HTTP requests to HTTPS. You can also use an Application Load Balancer to redirect one domain to another.

If you use Amazon CloudFront, then you can configure your distribution to require HTTPS traffic. For more information, see How do I configure my CloudFront distribution to use an SSL/TLS certificate?

Your website or application uses a pinned certificate

It's not a best practice to pin your website or application to an SSL/TLS certificate issued by ACM. Instead, pin your website or application to all the CAs in the Amazon trust services table.

For more information, see Can I pin an application that's running on AWS to a certificate that was issued by ACM?

Certificate transparency logging isn't turned on

Certificate transparency logging is turned on by default for ACM issued certificates. If you opted out of transparency logging and you want to turn it back on, you must activate transparency logging when renewing or issuing the certificate.

Related information

How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?

How do I upload SSL certificates for my Classic Load Balancer to prevent clients from receiving "untrusted certificate" errors?

Importing certificates into ACM

AWS OFFICIAL
AWS OFFICIALUpdated 17 days ago