policy
config_error
ai_generated
true
The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront.
ID: policy/cloudfront-custom-ssl-certificate-must-be-in-us-east-1
85%Fix Rate
88%Confidence
1Evidence
2023-03-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| CloudFront | active | — | — | — |
| ACM | active | — | — | — |
| AWS Console 2023-2025 | active | — | — | — |
Root Cause
CloudFront requires all custom SSL/TLS certificates to be provisioned in the us-east-1 region, even if the origin is in a different region.
generic中文
CloudFront 要求所有自定义 SSL/TLS 证书必须在 us-east-1 区域预置,即使源站位于其他区域也是如此。
Official Documentation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.htmlWorkarounds
-
90% success Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1
Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1
-
85% success If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1
If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1
中文步骤
Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1
If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1
Dead Ends
Common approaches that don't work:
-
95% fail
CloudFront's edge network is global and only ACM certificates in us-east-1 are supported for custom SSL. Other regions are rejected.
-
80% fail
CloudFront only accepts certificates from ACM or IAM, but IAM certificates are deprecated and ACM is the recommended path. Self-signed certificates are not trusted by browsers.