By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Remove ACM Certificate used for deleted VPN connection

0

Hello,

i have deleted a VPN connection which was established by using ACM private certificates, but i cannot delete the certificates used for this connection:

Command: aws acm delete-certificate --certificate-arn arn:aws:acm:eu-central-1:41xxxxxxxx39:certificate/7ef2226a-515b-4f90-aca7-72fefddb9a86

Output: An error occurred (ResourceInUseException) when calling the DeleteCertificate operation: Certificate...

In the documentation it is mentioned as follows:

"For certificate-based authentication, delete all Certificate Manager (ACM) private certificates used for the Amazon Web Services-side tunnel endpoints for the VPN connection before deleting the VPN connection."

" You cannot delete an ACM certificate that is being used by another Amazon Web Services service. To delete a certificate that is in use, the certificate association must first be removed."

So far i understand my mistake, but i am not able to remove this certificate association via WebUI or CLI.

The list certificates gives output as follows: "CertificateArn": "arn:aws:acm:eu-central-1:41xxxxxxxx39:certificate/7ef2226a-515b-4f90-aca7-72fefddb9a86", "DomainName": "vpn-0ea809fb052c8c149.endpoint-0"

Where DomainName is the certificate association, which i have to delete first (i guess) in order to delete the certificate, but i didn't find a way to do this.

Can you help me to sort this problem out?

Kind Regards

Topics
Security, Identity, & Compliance
Tags
AWS Certificate Manager
Language
English
Ian_0778
asked 3 years ago647 views
2 Answers
0

If you look at your AWS console please navigate to VPC -> Virtual Private Network (VPN) -> Site-to-Site VPN Connections. The error message points to a connection with the ID vpn-0ea809fb052c8c149 which is still defined there.

If you can find it you have the possibility to select it and use different certificates via the menu entry Actions -> Modify Tunnel certificate. The certificate vpn-0ea809fb052c8c149.endpoint-0 indicates that it is the first tunnel in use.

Theoretically the certificate can also be assigned on a different service by mistake. Can you try to get the full error message? If you navigate to AWS Certificate Manager -> Certificates and select the certificate in question you will see the Associated Resources section, which will point you to the right direction.

If you can't find any VPN connections defined I would recommend to open a support ticket to have the case investigated.

EXPERT
Andreas Seemueller
answered 3 years ago
  • Ian_0778
    3 years ago

    Hi Andreas,

    yes, there isn't any VPN connection defined, as i have deleted it. It is just ACM which is still claiming it is there. It was my mistake, because i deleted it and later i saw that certificates have to be deleted previously which leaded to my current problem. The full error message is: An error occurred (ResourceInUseException) when calling the DeleteCertificate operation: Certificate arn:aws:acm:eu-central-1:411581576539:certificate/7ef2226a-515b-4f90-aca7-72fefddb9a86 in account 41xxxxxxxx39 is in use.

    The vpn connecetion has been deleted but still shows up in ACM as associated ressource.

    Thank you

0

Hi Ian,

I'm sorry but in this case I can only recommend you to open a support request. The service team will be able to remove this association and you can delete the certificate afterwards.

EXPERT
Andreas Seemueller
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content