12

I'm trying to associate a custom SSL certificate with Cloudfront. I uploaded it to IAM with the cert, privatekey, and chain. I gave it an upload path of /cloudfront.

I have also requested and received permission from AWS to use custom SSL with Cloudfront.

However, when I'm in the cloudfront console, and trying to associate the certificate, I get the follow error when I press the "Yes, Edit" button.

"The specified viewer certificate does not exist or is not valid." (check attached image)

image

I've purchased a wildcard cert from DNSimple, and followed these instructions (https://devcenter.heroku.com/articles/ssl-certificate-dnsimple)

Is there any idea how to go forward? I might have made my certificate incorrectly, but I have no idea how to debug this. Is it possible that I've made my certificate correctly, and there is just something wrong with my aws account or Cloudfront configuration?

Thanks!

seansu4you87
  • 269
  • 2
  • 10
  • The best way to get help would be to post this question in AWS CloudFront support forums - https://forums.aws.amazon.com/forum.jspa?forumID=46, which are actively monitored by Amazon support folks. – Dmitry Guyvoronsky Jul 10 '13 at 00:42
  • Im trying to figure this out too. I see you're still interfacing with AWS. Have you fixed this yet? – sfkaos Jul 27 '13 at 06:20
  • any updates on the matter? – Ali Aug 07 '13 at 12:33

2 Answers2

12

So I figured out the problem!

DNSimple by default makes you a 2432 bit key, which is larger than the max size of 2048bit that Amazon allows. If you want to test the size of your key and cert, run the following:

Private Key:

openssl rsa -in private.key -text -noout

Example: Private-Key: (2048 bit)

Cert:

openssl x509 -in public.cert -text -noout

Example output: Public-Key: (2048 bit)

The output of each command will tell you how many bits it is. If you bought a SSL cert from DNSimple, you can message them and they can reauthorize your cert/key with a different size.

After doing this, associating your cert with your Cloudfront distribution should work.

seansu4you87
  • 269
  • 2
  • 10
  • 6
    Thanks for the tip, but mine was already 2048bit. How did you upload it to AWS in the first place? I'm having a hellish time trying to upload it to IAM ...getting `A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is in PEM format.` – Neal Mar 18 '14 at 21:06
  • Neal, I figured this issue out I think, make sure you actually include file:// in front of all file names – catbelly Mar 21 '14 at 20:07
  • 5
    FML. I have a 4096-bit SSL key. – Huckphin Mar 31 '14 at 22:33
  • 2
    For those wondering, I found the limitation documented here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html – hrdwdmrbl Aug 21 '14 at 14:42
0

Also got this error, and spent more time than I'd like trying to work out why it was failing (key size over 2048, cert chain etc).

I was attempting to use an IAM cert when creating the distribution through Terraform (specifying iam_certificate_id). Having looked at the AWS web interface for creating a distribution, there's no option to enter IAM cert Id, and it appears to only allow ACM certs. Has support for IAM certificates now been dropped (doesn't seem to be available on AWS console)?

When using ACM cert instead of IAM cert it worked fine for me.

Will
  • 151
  • 1
  • 4
  • Did you ever find out if it was no longer possible with IAM certificates? – wottle Jun 25 '18 at 19:57
  • Nothing conclusive... still working on the assumption that if it's not in the GUI support for IAM certs must have been dropped. I've been using ACM certs since. – Will Jun 26 '18 at 07:53
  • 1
    For us, it turned out the problem was that in order for CloudFront to use the IAM cert, it must be stored with a path that begins with "/cloudfront/" https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-custom-certificate/ Not sure if this was your issue within Terraform, but it might be worth checking out. We aren't allowed to use ACM certs, so it wasn't an option for us. – wottle Jun 26 '18 at 14:59