CloudFront not able to use Sectigo issued certificate after deleting Cloudflare issued certificate

0

Hello,

We use CloudFlare as our domain registrar + DNS and AWS CloudFront as CDN. We route all our traffic from CloudFlare to AWS CloudFront using CNAME records.

Initially we had an "older" Sectigo certificate that we imported into AWS Certificate Manager and used it to create a CloudFront Distribution. The said certificate expired so we issued a CloudFlare Origin certificate and imported into AWS Certificate Manager. Next, we updated the CloudFront Distribution to use the CloudFlare certificate - which worked fine.

Eventually, we tried to setup another CloudFront Distribution using CloudFlare issued certificate - this failed as the certificate was not "trusted". Hence we purchased a new Sectigo certificate and imported it into AWS Certificate Manager.

Now when we try to create a new AWS CloudFront Distribution using the new Sectigo certificate, we still get an error saying that the certificate is not trusted!

Eventually, we removed the CloudFlare issued certificate by disassociating it from other distribution - but still facing the same issue. Existing distributions are able to tranistion to new certificate - but new CNAME records or new distributions are facing errors.

It seems that AWS CloudFront is still "using" the old CloudFlare certificate. Can someone suggest how to fix this issue?

Please note that we had SAME wildcard domain certificates (*.example.com) issued from CloudFlare and Sectigo.

Thanks & Regards, Dhwanil Shah

1 Answer
2
Accepted Answer

It is hard to comment on your specific issue, as there are many miss-configurations for a certificate not being trusted, in addition to it being signed by a certificate that is not trusted.

Without knowing, or having access to your endpoint with this certificate installed, I can suggest you look at the following:

When you import the certificate to ACM, ensure that you have all the certificates in the chain as well. In particular pay careful attention to this document https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-format.html

A missing intermediate will result in this type of error.

Lastly, can I suggest that you have a look at potentially using a free ACM certificate with CLoudFront, you can configure validation to a DNS record in your CloudFlare DNS. Refer to https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html. This is free for AWS services that are supported by ACM, and has the benefit that it supports automatic renewal and such, removing overhead from the use of the certificate.

AWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
  • Thank you for your quick and accurate response! CloudFront accepted the certificate after I reimported the certificate and added the missing intermediate certificate during the import.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions