By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to delete certificate - in use by an unknown account

1

I'm trying to change a certificate to use DNS instead of e-mail for verification, and it looks like you can't modify an existing certificate so I have created a new one.

This worked fine and now I am trying to delete the old certificate but I cannot as it says it's in use:

Certificate is in use

The certificate *.example.com (b1f0c003-3a03-41da-98e1-11de39b50cc2)is in use (associated with other AWS resources) and cannot be deleted. Disassociate the certificate from each resource in the list and try again.
Associated resources

    arn:aws:cloudfront::392220576650:distribution/E2236MAM7WJSZZ
    arn:aws:cloudfront::392220576650:distribution/E3MB90ZRMYH1S

Apparently this account ID belongs to Amazon and I have heard this can come from API Gateway, however I have nothing set up in API Gateway. Hunting around I did have an old CloudFormation template active from some experimentation with the Serverless Framework application, however after removing that template and giving it a few hours, I still cannot delete the certificate!

Is there any way I can find out what exactly is using the certificate so I can figure out how to remove it? Or is there any way I can just delete the certificate anyway and see what breaks?

Topics
Security, Identity, & Compliance
Tags
AWS Certificate Manager
Language
English
Malvineous2
asked 5 years ago885 views
1 Answer
3

With a bit of help, I was finally able to work this one out.

It turns out that there's a limitation in the AWS web interface, and you can have some elements of API Gateway active but inaccessible via the web interface. I was told I needed to go to "Custom Domains" but all I could see was the "Getting Started" page.

In the end I had to resort to using the CLI, and blindly hunting around until I hit upon the region where the resources were.

aws --region us-east-1 apigateway get-domain-names
aws --region us-east-1 apigateway delete-domain-name --domain-name example.com

After a few hours this resulted in the AWS-owned CloudFront resources being released and I could at last remove the old certificate! Phew!

Malvineous2
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content