Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Unable to create a triggers for lambda
I am trying to create trigger for a lambda function to use the event source mapping functionality. Though it shows enabled for some time, it goes to disabled after some time showing the below error.
Last processing result: PROBLEM: Certificate and/or private key must be in PEM format.
I did multiple checks and could see my key in secret manager is in proper format. For reference, please see the below picture.
- Newest
- Most votes
- Most comments
Below the checklist to locate the issue:
- PEM blocks are complete and properly wrapped
- No trailing whitespace or malformed headers
- If encrypted, password is included and uses PBES1 algorithm (PBES2 is not supported)
- Secrets Manager secret is in the same region as your Lambda function
- Lambda has permission to access the secret (secretsmanager:GetSecretValue)
The error message "PROBLEM: Certificate and/or private key must be in PEM format" indicates that there's an issue with the certificate or private key format you're using for your Lambda trigger.
This specific error typically occurs when setting up an event source mapping with Apache Kafka. Even though your key might appear to be in the correct format in Secrets Manager, there could be a few issues:
- The certificate or private key might not be properly formatted in PEM format.
- The private key encryption might be using an algorithm that's not compatible. Specifically, the private key encryption should use a PBES1 algorithm.
To resolve this issue:
- Verify that both your certificate and key are in proper PEM format.
- Check that the private key encryption uses a PBES1 algorithm.
- Make sure there are no extra characters, line breaks, or formatting issues in your certificate or key.
If you're adding a trigger through the Lambda console, follow these steps:
- Open the Functions page of the Lambda console
- Select your function
- In the Function overview pane, choose "Add trigger"
- Select the AWS service you want to use to invoke your function
- Fill out the trigger configuration options carefully, ensuring all certificate and key information is correctly formatted
If the issue persists, you might need to regenerate your certificates and keys to ensure they meet the required format specifications.
Sources
Troubleshooting self-managed Apache Kafka event source mapping errors - AWS Lambda
Invoking Lambda with events from other AWS services - AWS Lambda
Relevant content
- asked a year ago
Thanks for your response. Are there any set of commands which creates the key and secret in the exact format it is expected to have.? also, i am keeping the same content which i shared in my ticket under the secret manager key and encryption sections. Would that cause any issues.?