By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

I have a cert showing InUseBy that has not been true for over a year.

0

Both the web console and CLI show the same 3 resources are associated with a cert I have. I would like to delete this cert as it expired 351 days ago.

Among other things the cert was used on an API Gateway, last year when I updated my certs and their resources I updated this one too and it is no longer used by any AWS resources.

All other resources quickly evaporated from the list however the API Gateway resources have remained.

aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:accountnum:certificate/certid --query "Certificate.InUseBy"
[
    "arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-id1/otherid1",
    "arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-id2/otherid2",
    "arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-id3/otherid3"
]

This is a production API receiving between 50k and 300k requests per hour so deleting the custom domain and replacing it would not be ideal.

Are there any known workarounds to get these resources to realize they are not using the cert so I can delete it and show I'm in compliance with my automated scripts.

ACM

API Gateway

Cloudwatch

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS Certificate Manager
Language
English
mikegarde
asked a year ago269 views
2 Answers
0

It seems your certificate is in use on your EC2 load balancers not your api gateway.

Check your load balancers in the us-east-1 and see if they are being referenced on any https listeners

Unassign the old certificate from the listeners. You can have more than one certificate on a listener.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#sni-certificate-list

profile picture
EXPERT
Gary Mclean
answered a year ago
0

When you deploy a regional API endpoint, API Gateway creates an application load balancer (ALB) on your behalf. The load balancer is owned by API Gateway and is not visible to you. The ALB is bound to the ACM certificate that you used when deploying your API. To remove the binding and allow ACM to delete your certificate, you must remove the API Gateway custom domain that is associated with the certificate.

https://docs.aws.amazon.com/acm/latest/userguide/troubleshoot-apigateway.html

profile picture
EXPERT
Gary Mclean
answered a year ago
  • mikegarde
    a year ago

    Exactly, and I understand this, however this cert was originally used by said API Gateway (aka the ALB AWS owns) and no longer used by it. I updated it last year, and again this year. My problem is that AWS thinks it is still in use by the ALB. Utilizing the API Gateway results in the expected cert, viewing/editing the custom domain for the API Gateway shows the expected cert. Querying the current cert shows it is in use by the API Gateway. But querying the original cert shows it too is in use by the ALB.

    While typing this I realized a better explanation for my issue.

    Cert 1 - Issued 2 years ago (expired 1 year ago) Cert 2 - Issued 1 year ago (expired now) Cert 3 - Issued now

    When the API Gateway was setup Cert 1 was used, one year later Cert 2 was used, and currently Cert 3 is being used. Currently I am attempting to delete Cert 1, however it is blocked because it is "In Use By" the API Gateway. It is not. I am able to delete Cert 2, because it is not "In Use By" the API Gateway.

    What I am hoping to solve is deleting the Cert 1 without deleting the Custom Domain in the API Gateway. If necessary I can update my internal endpoints to point to the AWS named endpoint and delete the Custom Domain, followed by creating a new Custom Domain with the same settings and reverting the endpoint update to my app.

    To further clarify, I believe this is an AWS issue and not a Me issue. I believe AWS is mistakenly reporting the "In Use By". I'm looking for a work-around.

  • Gary Mclean EXPERT
    a year ago

    Yeah I think its not you and just how AWS manages these certs. Seems the FIRST cert you use you cant remove without removing the custom domain.. Hope you manage to sort it.. Be intrested to know if you do...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content