By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to delete ACM certificate because of association to non existing resource

1

I am unable to delete a certificate because it is marked as in use by a Cloudfront distribution. This Cloudfront distribution is (according to the ARN) in my account, but I cannot see it (using the console or the CLI). The certificate was attached to two distributions. It was detached from the first more than a year ago (when it was deleted), and from the second one about a month ago (it still exists).

Some questions mention waiting a bit (a year seems to qualify) and remaining resources from API Gateway (I haven't used this service at all, and resources are in my account)

I don't have access to technical support (basic account) so I am unable to contact them directly.

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudFrontAWS Certificate Manager
Language
English
rePost-User-1540320
asked 2 years ago601 views
1 Answer
-1

You can reference this link to delete ACM certificate : https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-resources/

AWS
VM
answered 2 years ago
  • rePost-User-1540320
    2 years ago

    I have never used API gateway, and the distribution seems to be in my account. And since the arn for the Cloudfront distribution contains my account id, I think I'm supposed to own it. I have checked all the services mentioned in this documentation for resources, but I don't have anything there.

  • VM
    2 years ago

    Can you check the ARN of the 'Associated Resource' in the certificate in ACM - does it match that of the AWS account that you're in? If not, then it's likely that this is a resource created by API GW and owned by that service. Go into API GW and see if you have any global GWs that have an ACM cert associated with them. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html

    If you had API GWs but have recently deleted them, give it some time before deleting the cert. Let me know if this helps.

  • JT
    a month ago

    I am upvoting this problem and adding details. Here is a summary of commands that show the issue (powershell, arns partially redacted)

    > aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:account:certificate/69581cc8-0000-0000-0000-9767d87f6592 --region us-east-1 --output json --query Certificate.InUseBy[0]
"arn:aws:cloudfront::account:distribution/ECB7LRF7H87TN"

    Then I take that arn and try to look at it

    > aws cloudfront get-distribution --id arn:aws:cloudfront::account:distribution/ECB7LRF7H87TN

An error occurred (NoSuchDistribution) when calling the GetDistribution operation: The specified distribution does not exist.

    Try deleting it anyway, just to be sure

    > aws cloudfront delete-distribution --id arn:aws:cloudfront::account:distribution/ECB7LRF7H87TN

An error occurred (NoSuchDistribution) when calling the DeleteDistribution operation: The specified distribution does not exist.

    That didn't work, but lets try to delete the certificate just in case something really did work

    > aws acm delete-certificate --certificate-arn arn:aws:acm:us-east-1:account:certificate/69581cc8-0000-0000-0000-9767d87f6592 

An error occurred (ResourceInUseException) when calling the DeleteCertificate operation: Certificate arn:aws:acm:us-east-1:account:certificate/69581cc8-0000-0000-0000-9767d87f6592 in account account is in use.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content