By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[BUG?] Can't delete ACM certificate due to association to AWS Internal account - The certificate is in use (associated with other AWS resources) and cannot be deleted.

0

ERROR:

Certificate is in use
The certificate (***) is in use (associated with other AWS resources) and cannot be deleted. Dissociate the certificate from each resource in the list and try again.

Associated resources
arn:aws:elasticloadbalancing:us-east-1:250044486744:loadbalancer/app/prod-iad-1-az1-1-74/aaef435ee82b00f4
arn:aws:elasticloadbalancing:us-east-1:250044486744:loadbalancer/app/prod-iad-1-az4-1-145/a8e5d89d2f1e4c8f
arn:aws:elasticloadbalancing:us-east-1:250044486744:loadbalancer/app/prod-iad-1-az5-1-147/3c31e83958a34ed9

Scenario:

  1. I use a CloudFormation stack to create an ACM cert and then an API Gateway custom domain for an apex domain name/wildcard domain name with that associated cert. (i.e. *.mydomain.com)
  2. I use CloudFormation to drop that stack.
  3. The stack deletes the API Gateway custom domain, but is stuck on deleting the cert. The cert cannot be deleted due to this association with account #250044486744.

Possible resolution (not 100% effective):

  1. I created an API Gateway custom domain for that apex domain name/wildcard domain name (*.mydomain.com) and attached the stuck cert.
  2. I delete the API Gateway custom domain.
  3. After a few minutes, the associations that prevent deleting the cert go away.

How can I get around this? I can't delete the cert, so I can't delete the stack, so I am totally stuck. I waited 24 hours to see if these associations would go away automatically.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliveryManagement & GovernanceSecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS CloudFormationAWS Certificate Manager
Language
English
Kerry Ritter
asked 9 months ago284 views
1 Answer
0

Hello.
It is better to mask the AWS account ID.

Run the following commands to see which resources the certificate is being used for.
Make sure it is not being used for anything other than API Gateway.
https://repost.aws/knowledge-center/acm-certificate-resources

aws acm describe-certificate --certificate-arn ACM-ARN

Regional API endpoint creates an Application Load Balancer by API Gateway.

Presumably, that ALB is the ALB that is created when the region API Gateway is created.

If so, replace or delete the custom domain name associated with the API Gateway.
If you try to remove the ACM certificate after that, it may solve the problem.

profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
  • Kerry Ritter
    9 months ago

    This is not my account number. This is an AWS-owned account number.

    The 3 listed associations are the only associations.

  • Riku_Kobayashi EXPERT
    9 months ago

    Updated answers.

  • Kerry Ritter
    9 months ago

    I did this.

    The stack deleted the API Gateway custom domain, and the associations were not removed - I believe this is a bug.

    For a domain I created today, I was able to create the custom domain manually and then delete it, which removed the associations. For domains I created yesterday, new associations are made and I cannot get rid of the 3 associations that were created yesterday.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content