How do I resolve the "InvalidViewerCertificate" error exception while creating or updating a CloudFront distribution?

Resolution

Follow the resolution steps for the error message that you receive:

"The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain."

This error message indicates that the certificate doesn't meet one or more of the following requirements for importing into AWS Certificate Manager (ACM), or for association with a distribution:

• The certificate must be imported in the US East (N. Virginia) Region.
• The certificate must be 2048 bits or smaller.
• The certificate must not be password-protected.
• The certificate must be PEM encoded.

To associate the imported certificate and certificate chain to your CloudFront distribution, you must be sure that they meet these requirements. Or, you can request a public certificate from ACM in the US East (N. Virginia) Region to meet the requirements. Then, you can associate the newly requested certificate with your distribution.

"To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name."

This error message indicates that the alternate domain names (CNAMEs) on the distribution aren't covered by the Subject Alternative Name (SAN) of the certificate that you provided. You can request a public certificate with ACM, or you can contact your certificate authority (CA) for an updated certificate that covers the alternate domain names on the distribution.

"The certificate that is attached to your distribution has too many certificates in the certificate chain."

This error message indicates that the number of certificates in the chain exceeds the maximum value of five. You need a new certificate chain with five or fewer certificates. If your current certificate authority (CA) doesn't support this, you can use ACM to issue a free valid certificate.

"The certificate that is attached to your distribution has one or more expired certificates in the certificate chain. Make sure that each certificate in the chain is valid for the current date by reviewing the Not Valid After field."

This error message indicates that one or more of the certificate chains are expired in the certificate that CloudFront is trying to use. Download the proper chain files from your certificate authority (CA), and reimport your certificate and chain files to either ACM or AWS Identity and Access Management (IAM). Then, retry your request. If your current CA doesn't support this, you can use ACM to issue a free valid certificate.

"The certificate that is attached to your distribution has one or more certificates in the certificate chain that aren't valid yet. Make sure that each certificate in the chain is valid for the current date by reviewing the Not Valid Before field."

This error message indicates that one or more of the certificate chains aren't yet valid in the certificate that CloudFront is trying to use. This means that the start date of the certificate is in the future, so the certificate isn't valid yet. Download the proper chain files from your certificate authority (CA), and reimport your certificate and chain files to either ACM or IAM. Then, retry your request. If your current CA doesn't support this, you can use ACM to issue a free valid certificate.

"The certificate that is attached to your distribution was not issued by a trusted Certificate Authority."

This error message indicates that the certificate wasn't issued by a trusted certificate authority (CA). Issue a certificate from a trusted CA for CloudFront to allow you to use an alternate domain name (CNAME). If your current CA doesn't support this, you can use ACM to issue a free valid certificate.

Note: Self-signed certificates aren't supported.

"The certificate that is attached to your distribution has a value in the SAN field that is not correctly formatted."

This error message indicates that the Subject Alternative Name (SAN) isn't formatted properly. CloudFront requires that each entry must be either a DNS name containing a fully qualified domain name (FQDN) or an IP address of a server. Wildcard entries are valid, but you can't add alternate domain names (CNAMEs) that are at higher or lower levels than the wildcard. If your current certificate authority (CA) doesn't support this, you can use ACM to issue a free valid certificate.

"The certificate that you specified doesn't cover the alternate domain name (CNAME) that you're trying to add."

This error message indicates that one or more of the alternate domain names (CNAMEs) that you're trying to associate to your distribution aren't included in the certificate's Subject Alternative Name (SAN) provided in the CreateDistribution or UpdateDistribution API calls. Verify that you're providing the correct certificate in the API call.

"CloudFront encountered an internal error. Please try again."

This error message indicates that there was an internal problem when issuing the CreateDistribution or UpdateDistribution API call. It's a best practice to retry the API call later. If this error continues for an extended period, check the AWS Service Health Dashboard for possible ongoing issues.

"The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain."

This error message might occur when there is an explicit deny statement for AWS KMS in the policy evaluation for a user or role. The error is most common if any of the following AWS KMS actions are explicitly denied: kms:DescribeKey, kms:CreateGrant, or kms:*.

These policies are found anywhere in the policy evaluation for the user or role. For example, identity-based policies, service control polices (SCPs) or permission boundaries to name a few.. To learn more, see Evaluating polices within a single account.

---