By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

I can't delete my certificate because it's associated with an invisible cloudfront distribution

0

I have a certificate in AWS Certificate manager that I would like to delete (I need to recreate it to include a root domain). When I try to delete it, I get an error saying that it is associated with a Cloudfront distribution and cannot be deleted. However, in Cloudfront, I have no distributions listed. How can dissociate the certificate from the resource?

I found a similar question and looked for API Gateway resources. I found one and it had a custom domain name similar to the certificate. I've deleted both the custom domain and the API Gateway and they're no longer listed in API Gateway interface, but I'm still not able to delete the certificate because it's associated with this unknown cloudfront resource. Enter image description here Enter image description here

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudFrontAWS Certificate Manager
Language
English
ben
asked 2 years ago1821 views
4 Answers
0
Accepted Answer

After some time passed, I was able to delete the certificate. It seems that deleting the API Gateway was indeed the cause of the error, and it simply needed some additional time to pass after deletion before I could delete the associated certificate.

ben
answered 2 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
0

Hello Ben,

From your question I have understood that you are unable to find an ACM certificate and the associations with it. You were correct that to delete a certificate that is in use, you must first remove the certificate association. This can be done using the console or CLI for the associated service. I will link a general guide below: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html

profile pictureAWS
SUPPORT ENGINEER
Chirag_R
answered 2 years ago
0

Yep API GW edge-optimised APIs are accessed through a CloudFront distribution you don't own - it's in an AWS-managed account. It will use your cert though as you've seen. "aws apigateway get-domain-names" can be used to see the distribution domain names.

EXPERT
skinsman
answered 2 years ago
0

I'm facing the same issue, it's been 1 day already since I deleted the associated API gateway custom domain. The certificate still seems to be associated to some resources that does not exist in my account, this is what i see:

Associated resources (3)

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-104/87ea7bd28e18ef45

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-793/dd9eb9379f71a0ba

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-862/56fc8591797a2875

This shown account id is not mine.

profile picture
Kevin
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content