- Newest
- Most votes
- Most comments
This is a common issue with ACM certificates where they can't be deleted due to invisible resource associations. Even after you've removed all visible associations like API Gateway custom domain names and Route 53 entries, there can still be lingering connections preventing deletion.
The error you're seeing indicates that the certificates are still associated with Elastic Load Balancer resources, even though you may not be able to find these associations in your account. This often happens with AWS-managed resources that were created behind the scenes, such as CloudFront distributions associated with other services.
Before contacting AWS Support, you might want to try these steps:
-
Double-check all possible places where the certificates might still be used, including Load Balancer listeners, CloudFront distributions, and Cognito User Pools.
-
Try deleting the certificates using the AWS CLI instead of the console, as this sometimes works when the console fails.
If these steps don't resolve the issue, contacting AWS Support is indeed the correct approach. When you open a support case:
- Open it under "Account and billing" (which is free of charge)
- Explain that you have certificates you can't delete due to invisible resource associations
- Provide the certificate IDs you mentioned (72643fd2-74d7-47ef-8517-19a79a50f0e6 and 9d7c304f-8e6f-43df-bb20-31ddb7b33e68)
- Request that they remove the associations so you can delete the certificates
While waiting for support to resolve the issue, keep in mind that ACM certificates are free, so there's no financial impact to having them remain in your account temporarily.
Sources
Cannot delete ACM certificate due to associated resources | AWS re:Post
could you help to delete one expired certificate due to associated resources? | AWS re:Post
Delete ACM Cert in Use By CloudFront Distribution after Deleting User Pool | AWS re:Post
Hello.
Have you deleted the custom domain associated with the API Gateway?
https://docs.aws.amazon.com/acm/latest/userguide/troubleshoot-apigateway.html
When you deploy a regional API endpoint, API Gateway creates an application load balancer (ALB) on your behalf. The load balancer is owned by API Gateway and is not visible to you. The ALB is bound to the ACM certificate that you used when deploying your API. To remove the binding and allow ACM to delete your certificate, you must remove the API Gateway custom domain that is associated with the certificate.
If you have not deleted your custom domain, try deleting it with the following command.
aws apigatewayv2 delete-domain-name --domain-name "example.com"
If you are unable to delete the ACM certificate even after deleting the API Gateway custom domain, try contacting AWS Support.
"Account and billing" inquiries are free of charge.
In the past, there have been cases where, like you, someone was unable to delete the SSL certificate that was linked to API Gateway, and contacted AWS Support to resolve the issue.
https://repost.aws/ja/questions/QUD6O2O6z2QjelpBx6bcnBaA/cannot-delete-acm-certificate-due-to-uncontrollable-resource-associations
