By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Need help with stack stuck in UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS

0

I have a stack arn:aws:cloudformation:us-east-1:384426254369:stack/BraunStack/ac1302e0-6cde-11ed-8837-0a5c7a83545f that I am trying to delete but it's stuck in state UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS. I traced through the stack events and found out that the problem is this:

Certificate arn:aws:acm:us-east-1:384426254369:certificate/e015608b-e8a9-4dbc-bd7a-d4b299e1c0ef in account 384426254369 is in use. (Service: AWSCertificateManager; Status Code: 400; Error Code: ResourceInUseException; Request ID: ba2370ae-8f61-46a4-a251-aea442d34311; Proxy: null)

so I went to try to manually delete that ACM certificate and it says I can't because it's in use. The problem is, it says it's in use by this:

arn:aws:cloudfront::745623467555:distribution/ENHGSRI0SJ739

The issue is that's not something I see as one of my cloudfromt distributions. In fact, that's not even my account number. It's almost as if somebody else is using my certificate, which is impossible. I do have two separate organizations (with one account each) that I manage, but that's not the account number of either.

So it looks like CloudFormation can't delete the stack because it can't delete the certificate, and I can't manually delete the certificate because some distribution that I cannot find (possibly in another account) is using it:

Failed to delete certificates
Certificate arn:aws:acm:us-east-1:384426254369:certificate/e015608b-e8a9-4dbc-bd7a-d4b299e1c0ef in account 384426254369 is in use. (Service: AWSCertificateManager; Status Code: 400; Error Code: ResourceInUseException; Request ID: 38c32079-f59e-45b8-b753-07b0ee58a4ae; Proxy: null)

Can somebody at amazon tell me how to clean this up? I think step 1 is delete that certificate, but it won't let me. I can always regenerate the certificate and this site isn't in production yet.

Update: I signed up for paid Developer support so I could ask for help. Case 11538935921. It really looks like somehow some other account is using my certificate, I'm mystified how that could be.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS CloudFormationAWS Certificate ManagerSupport Case
Language
English
profile picture
wz2b
asked a year ago543 views
2 Answers
1
Accepted Answer

Hi There

PLease see this article which explains this behavior and a resolution. If you deployed an edge-optimized API Gateway, then that is associated with a CLoudFront distribution in an AWS managed account (hence the unknown account number.)

Also see this previous post with a similar issue

profile pictureAWS
EXPERT
Matt-B
answered a year ago
  • wz2b
    a year ago

    Thanks, Matt. That was the problem. It turns out it was a custom domain on a Cognito pool, and that causes a CF distribution to be created on an amazon account just like you said. what was confusing was that CF distribution was basically invisible to me. What would have helped is if the Cognito user pool said explicitly "Here's the CloudFront dist that is part of this" - it was just hard to track down having not encountered this before. Thanks for your help!

1

Please raise a support case, they should be able to help out.

AWS
Rishi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content