7

As my SSL certificate expired, I've received the renewal from the certificate authority and reimported on AWS Certificate Manager console and it promptly changed from Expired back to Issued. It is directly linked to a CloudFront distribution and it looks like after a while won't reflect that very change. I've then checked it's SSL Certificate Identifier which matches the correct ACM entry. I've invalidated all the cache after that to make sure it would reflect even on a anonymous window but there is no luck just yet.

I was unable to find on AWS documentation if it would take several hours to reflect or any other action is required in order to get it working. One thing I didn't try was to clear local browser cache as I understand that several users depend on that and somehow I'd like this update to be transparent to all of them.

I appreciate any clues or tips on this matter.

fagiani
  • 2,293
  • 2
  • 24
  • 31
  • I think "reimport" was probably a the wrong option. Call it intuition, but I don't think this feature works the way it appears to. Import the certificate again, as though it were a new certificate. Then go to CloudFront and select the certificate by its new identifier and save changes. – Michael - sqlbot Oct 10 '17 at 00:15
  • 1
    Hi @Michael-sqlbot the reimport was suggested by ACM console to renew as the certificate was expired. Thanks anyway! – fagiani Oct 10 '17 at 12:11
  • 1
    I understand that, but I suspect there may be an issue that can arise which could delay the deployment in such a case, and if true then creating a new cert and changing the CloudFront config to use it should allow the process to happen very quickly. If you are still having issues, I recommend you try it. – Michael - sqlbot Oct 10 '17 at 12:16
  • @Michael-sqlbot one advantage of reimport in this case is that no approval process is going to happen and in my situation it would take up to several days for that. I agree with you that it would be simpler to apply on CloudFront once approved thou. As I was able to figure an alternative way, I've posted the answer below so others can use it in the future. Keep Rocking! – fagiani Oct 10 '17 at 12:23
  • There should be no approval process for *imported* certificates. Approval should only needed for certificates *issued* by ACM. Your workaround did occur to me but lacking a way to really verify it, I didn't mention it. It does make sense, though -- and confirms my suspicion that "reimport" doesn't seem to actively update all systems currently using the cert. +1 for solving your own issue. – Michael - sqlbot Oct 10 '17 at 12:28

2 Answers2

4

I was able to get the new certificate transparently reflected to users by going to the CloudFront distribution and setting the SSL Certificate value to the Default SSL CloudFront Certificate (*.cloudfront.net) then after deploy and propagation, re-selected the Custom SSL Certificate (example.com) from ACM.

Hope it helps anyone on the same situation in the future.

fagiani
  • 2,293
  • 2
  • 24
  • 31
3

If your certificate has already expired, importing the renewed certificate as a new one and switching to it in the CloudFront distribution settings is the quickest way to fix the problem. But if you still have some time left before it expires, reimporting is the correct way. The benefit is that if you use it in more than one place, e.g. using the same wildcard certificate in multiple distributions, you don't have to go and change it multiple times. In my case, I reimported it and checked back 12 hours later and CloudFront had already applied it.

Iamz
  • 295
  • 2
  • 6
  • 1
    That's the right answer. Apparently, SSL should be renewed at least a week in advance. It takes about that much time to propagate to all CF edges. However, propagation progress is not available. – anup Dec 23 '19 at 07:25