SSL setup failed: both root and www stuck on expired 2023 Amplify distribution, "CNAME already associated with different resource", confirmed not in my CloudFront account

Question

**Problem**

I'm trying to link the custom domain `theexecutiveoutlook.com` to my AWS Amplify app (region: `ap-southeast-1`) but the SSL setup keeps failing with:

```
One or more of the CNAMEs you provided are already associated with a different resource.
```

Both the root domain and `www` are broken =>`www` briefly worked then stopped serving with an SSL err

**Background**

We migrated a WordPress site (previously on Hostinger) to a Next.js app on Amplify. During the migration in 2023 there was a previous Amplify setup attempt. That old Amplify app was deleted but the underlying CloudFront distribution was never cleaned up.

**Root cause identified**

Running `openssl s_client` against `www.theexecutiveoutlook.com` reveals an **expired ACM certificate**:

```
subject=CN = www.theexecutiveoutlook.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02
notBefore=Jan  3 00:00:00 2023 GMT
notAfter=Feb  2 23:59:59 2024 GMT
```

This confirms an old **Amplify-managed CloudFront distribution from 2023** still holds aliases for both `theexecutiveoutlook.com` (root) and `www.theexecutiveoutlook.com` with the expired cert. This old distribution **does not appear** in our account's CloudFront distributions, it's in Amplify's managed service infrastructure.

**What I've already tried**

* Deleted and re-created the domain association multiple times (both Amplify-managed and custom ACM certificate)
* Issued and validated a custom ACM certificate in `us-east-1` covering both domains => status: `ISSUED`
* Created the missing IAM role `AWSAmplifyDomainRole-Z0912169PGA4JNKMS7B0`
* Ran `aws cloudfront list-conflicting-aliases` against a distribution in my account that has the custom cert attached => **returned 0 results**, confirming the conflicting distribution is not in my account.

**Current state**

* Amplify App ID: `d108r8v4c0edv8`
* Region: `ap-southeast-1`
* Route 53 Hosted Zone: `Z0912169PGA4JNKMS7B0`
* DNS: both root (A ALIAS) and www (CNAME) correctly point to d17zs2jqzvnvgp.cloudfront.net
* Custom ACM cert: `arn:aws:acm:us-east-1:[ACCOUNT-ID]:certificate/7447d997-de01-4580-8b07-667669fb38b1` (ISSUED, covers both domains)
* `www.theexecutiveoutlook.com`: Serving expired 2023 cert => SSL error in browsers
* `theexecutiveoutlook.com` (root): FAILED => alias conflict

**Question**

The old Amplify-managed CloudFront distribution (from 2023, in Amplify's service account) still holds both aliases. Is there any self-service way to release these aliases, or does this require AWS Support to manually remove them from the orphaned distribution?

Johan Staring · Accepted Answer

Kidd Ip is correct, there's no self-service way to resolve this. In order to expedite the support case (if you haven't already opened it and made progress by now), provide as much of the evidence as possible upfront to minimize any back-and-forth with the support engineer. For example:

Step 1: Open an AWS Support Case (Required)
Open a support case with the following details:

* Service: CloudFront (or Amplify Hosting)
* Category: Domain / CNAME configuration
* Severity: High (production site is down with SSL errors)
* Subject: "Request removal of orphaned CNAME aliases from Amplify-managed CloudFront distribution"
* Body:  include all of this:

```
Both theexecutiveoutlook.com and www.theexecutiveoutlook.com are held as 
aliases on an orphaned Amplify-managed CloudFront distribution from a 
deleted Amplify app (2023). The distribution is NOT in our account, it's 
in Amplify's internal service infrastructure.

Evidence:
- openssl s_client shows an expired ACM cert (expired Feb 2 2024) for 
  CN=www.theexecutiveoutlook.com issued by Amazon RSA 2048 M02
- aws cloudfront list-conflicting-aliases returns 0 results against our 
  distribution, confirming the conflict is cross-account
- DNS currently points to d17zs2jqzvnvgp.cloudfront.net
- Current Amplify App ID: d108r8v4c0edv8 (ap-southeast-1)
- Route 53 Hosted Zone: Z0912169PGA4JNKMS7B0
- Custom ACM cert (us-east-1): arn:aws:acm:us-east-1:[ACCOUNT-ID]:certificate/7447d997-de01-4580-8b07-667669fb38b1

Request: Please remove both aliases (theexecutiveoutlook.com and 
www.theexecutiveoutlook.com) from the orphaned internal CloudFront 
distribution so we can associate them with our new Amplify app.
```
Step 2: Prepare DNS TXT Records for Ownership Verification
AWS Support will likely ask you to prove domain ownership. Before they respond, proactively create these TXT records in your Route 53 hosted zone:
```
Record Name	Type	Value
_.theexecutiveoutlook.com	TXT	d17zs2jqzvnvgp.cloudfront.net
_www.theexecutiveoutlook.com	TXT	d17zs2jqzvnvgp.cloudfront.net
```
(Replace d17zs2jqzvnvgp.cloudfront.net with whatever CloudFront domain your new Amplify app assigns, if different.)

This follows the target distribution setup procedure and will speed up the support process.

Step 3: Also Try list-domain-conflicts (Newer API)
Before Support responds, try the newer list-domain-conflicts API which may give you more information than list-conflicting-aliases:
```
aws cloudfront list-domain-conflicts \
  --domain theexecutiveoutlook.com \
  --domain-control-validation-resource "DistributionId="
```
This returns the partially-masked account ID and resource type of the conflicting resource, which can be useful evidence for the support case.

Kidd Ip · Answer

To my understanding, there is no self‑service way to release aliases from Amplify’s internal CloudFront distributions but AWS Support is required.

https://docs.aws.amazon.com/amplify/laatest/userguide/custom-domains.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html

SSL setup failed: both root and www stuck on expired 2023 Amplify distribution, "CNAME already associated with different resource", confirmed not in my CloudFront account

Add your answer

Relevant content