105

I am going to create a new distribution at CloudFront. Already I have uploaded my SSL certificate at AWS IAM using AWS CLI. That certificate appears in the Custom SSL Certificate dropdown on new distribution page but it is DISABLED.

Can someone tell me why is it so ? How to select my custom SSL certificate for this distribution ?

theGeekster
  • 6,081
  • 12
  • 35
  • 47

17 Answers17

134

It took a whole day to AWS to propagate the new certificate to all of its nodes. Next day when I logged in to my AWS console, the certificate appeared in the dropdown and was enabled as well and I could configure distribution successfully.

Also, be sure to select us-east-1 (N. Virginia) when you make the certificate request; it's the only region that supports it at this time (even if your bucket / asset is in another region)

iwasrobbed
  • 46,496
  • 21
  • 150
  • 195
theGeekster
  • 6,081
  • 12
  • 35
  • 47
  • 3
    Been waiting for 3 days now, unfortunately – elsurudo Jun 05 '16 at 21:57
  • 13
    Redo the certificate in N. Virginia solved my problem. It's weird certificated actually has different issue status in different regions...lol – Neekey Jul 27 '17 at 09:37
  • 3
    When creating a new CloudFront distribution, Amazon specifically states "You can use a certificate stored in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region, or you can use a certificate stored in IAM." – Shea Dec 29 '17 at 01:17
  • 6
    According to both https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html and https://aws.amazon.com/certificate-manager/faqs/, "to use an ACM certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region". – Big Pumpkin Apr 17 '18 at 19:39
  • i created a certificate using N.Virginia region in ACM, and DNS validation. It was working in 10 minutes. – Deepan Prabhu Babu Oct 20 '19 at 18:11
  • I inspected the html and removed the disabled property and selected the certificate lol – Abhishek Pankar Jan 24 '21 at 12:50
  • Luckily I got within an hour, exactly after I read this thread. – Dev Utkarsh Jul 10 '21 at 20:26
44

Only certificates registered in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region will be enabled for use in CloudFront

37
  • Import cert into IAM or create one through ACM in us-east-1 as mentioned in the other comments.

  • Wait for the validation to be complete i.e. not orange.

  • Load the cloudfront distribution setting edit page.
  • If the Custom SSL option is greyed, logout of the console and log back in. After this step the greyed out option came alive for me. I imagine it being cached somehow and the logout-login refreshing it.
neo01124
  • 1,038
  • 1
  • 9
  • 5
19

Just wait a few minutes and reload the distribution settings page to see the custom SSL option ENABLED.

I had the same problem, didn't use my AWS root account and the IAM path was correctly set to /cloudfront/.

Jonathan Maim
  • 776
  • 1
  • 6
  • 14
16

Sign in to the console and use this URL: https://console.aws.amazon.com/acm/home?region=us-east-1#/wizard/ and it will work. The key is the region.

Philip
  • 6,827
  • 13
  • 75
  • 104
  • 2
    Yes, this worked immediately for me also. (I then went back and simply deleted the certificate I made under region=us-west-2) – Terje Dahl Dec 13 '17 at 08:03
14

I had similar issues, and it worked more smoothly for me to import the cert into AWS Certificate Manager.

If you are using AWS Certificate Manager with an S3 bucket, make sure you are importing the cert into the US East (N. Virginia) region. As of today, that is the only region in ACM that supports S3. See https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

Ryan Walls
  • 6,962
  • 1
  • 39
  • 42
  • 2
    Spot on! This is the solution for this problem - Thanks Ryan – EdsonF Dec 07 '16 at 10:19
  • 3
    This is the solution! More relevant link: https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html: *To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.* – illagrenan Jan 11 '18 at 22:10
13

Go back to the cloudfront homepage after the certificate get issued and refresh the page. It worked for me

7

The reason it is not now showing up is probably that the iam path you have set is not /cloudfront/[1]. You can use the same cli you used to upload the certificate to change the default path of / or you could upload the certificate again. Let me know if that doesn't fix it.

  1. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS
imperalix
  • 3,701
  • 1
  • 23
  • 19
4

Make sure that you're not uploading the certificate using an AWS root account. If you use a root account, the certificate will be visible but you won't be able to select it.

Instead, create a new IAM user with adequate rights (I used an account with an administrative policy assigned) and upload the certificate using those credentials. The certificate should then be available.

Kristopher
  • 435
  • 5
  • 8
  • This worked for me, I created the cert as a root user but the custom SSL setting was disabled when editing the distribution even though I could see the cert as an option in the drop-down. After creating an administrator user and signing in as that account the option was no longer disabled. – Simon L. Brazell Feb 11 '18 at 07:28
3

If you are requesting a certificate in another region (not us-east-1), set your region to us-east-1 and request a certificate again. I just request same domain name in ap-northeast-2 and it works immediately.

user1035957
  • 327
  • 1
  • 3
  • 9
2

There seems to be an error in the front-end.

Try this, it worked for me:

  • Go into the HTML using your browser's inspection tool.
  • Delete the "disabled" attributes from both the radio button and the textbox that are currently greyed out.
  • Then insert the ARN of your certificate.
  • Complete your form.
1

Use this:

{
"Effect": "Allow",
"Action": [
    "iam:DeleteServerCertificate",
    "iam:UploadServerCertificate",
    "iam:ListServerCertificates",
    "iam:GetServerCertificate"
],
    "Resource": "*"
}
Mike Doe
  • 16,349
  • 11
  • 65
  • 88
d.balu
  • 11
  • 2
1

I see there are many good answers already, and any of them may be the reason your Custon SSL Certificate section is disabled. I think I just found another one and this was the case for me:

For many "integrated services", that includes CloudFront, only few algorithms and key sizes are supported. I was trying to use my RSA 4096-bit certificate, and a key of adequate length.

As of right now for the use with the "integrated services" AWS only accepts key lengths of 1024 or 2048 bits.

Mentioned here: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html

wiktus239
  • 1,404
  • 2
  • 13
  • 29
1

In my case it was not request the ACM in N.Virginia region, after the ACM status turns green, I need to log out and log in for the button to enable.

Minh Chau
  • 91
  • 2
1

I got same issue. So I read this

But for me, it was still disabled as it can take a whole day for the same.

So, I inspected the html and removed the disabled property and selected the certificate.

Abhishek Pankar
  • 723
  • 8
  • 26
0

If the certificate is not showing in the drop down list you can copy and paste the full ARN for the certificate. The ARN is found in Certificate Manager by selecting the certificate you want to use.

-1

AWS root account can not able to select a custom certificate in CloudFront.

Please create a new IAM user with the below policy and create CloudFront distribution with that user and you can able to select a custom SSL certificate.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["*"],
    "Resource": ["*"]
  }]
}
Subhash
  • 762
  • 9
  • 25