By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Gateway - Cannot remove ACM Certificate

0

Hi,

I'm trying to remove an expired ACM Certificate that was originally associated with some API Gateway resources. I've tried the suggestions here https://repost.aws/knowledge-center/acm-certificate-resources, recommended by AWS Support team, but my problem here is the domain and the associated ACM are no longer there when querying API Gateway.

Here are my AWS-CLI outputs:

Domains: aws apigateway get-domain-names --region=us-east-1 { "items": [] } ACM: aws apigateway get-client-certificates --region=us-east-1 { "items": [] } And when queried against the specific domain, masked for privacy, it is not there:

get-domain-name --domain-name h****.io --region=us-east-1 An error occurred (NotFoundException) when calling the GetDomainName operation: Invalid domain name identifier specified So overall, I'm now a bit stuck on how to change ACM or delete domain if none of them are there. Could I get some help on how to get around this problem please?

Thank you. Hien

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS Certificate Manager
Language
English
Hien
asked 4 months ago181 views
2 Answers
1

Hi Hien,

Two weeks ago, I had an ACM Certificate connected to AWS services, which I managed to remove. Based on your situation, I would like to offer you a couple of suggestions;

  1. Sometimes, AWS resources might not be properly cleaned up. Use the AWS Management Console to manually check for any orphaned resources related to API Gateway or ACM. Sometimes, the console provides more visibility or different options compared to the CLI.
  2. Ensure that the IAM user or role you're using has the necessary permissions to view and manage ACM certificates and API Gateway domains. Lack of proper permissions can sometimes lead to resources not being listed.
  3. If the resources were created using AWS CloudFormation, check the stacks to see if the resources are still part of an active stack. If they are, you might need to update or delete the stack to remove the resources.
  4. Ensure that you are querying in the correct region.
  5. ACM Certificates can also be used with CloudFront. If you have a CloudFront distribution that utilizes an ACM Certificate, this could prevent you from removing it

If none of these suggestions resolve your problem, I kindly request that you provide the error message you received when attempting to delete the certificate.

Onur
answered 4 months ago
0

Hi Onur,

Thank you for the suggestions and to answer your pointers:

  1. I have waited for more than 48 hours but the resources did not disassociate.
  2. My personal account has Admin role and furthermore, I'm also the main gatekeeper of our root account.
  3. Not in particular case, no AWS CloudFormation was used.
  4. Yes, Virginia us-east-1 is the problematic region.
  5. I have ensured that it is not the case.

Here is what I'm seeing when using console to delete:

Enter image description here.

and here is a list of resources associated with this problematic ACM cert, all are under AWS internal API Gateway account:

Enter image description here

Please let me know if you have some further suggestions that I could try.

Many thanks, Hien

Hien
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content