{ "id": "policy/cloudfront-custom-ssl-certificate-must-be-in-us-east-1", "signature": "The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront.", "signature_zh": "指定的证书不在 us-east-1 区域。与 CloudFront 一起使用的证书必须位于 us-east-1 区域。", "regex": "The certificate specified is not in the us-east-1 region\\. The certificate must be in the us-east-1 region to use with CloudFront\\.|Certificate must be in the us-east-1 region", "domain": "policy", "category": "config_error", "subcategory": null, "root_cause": "CloudFront requires all custom SSL/TLS certificates to be provisioned in the us-east-1 region, even if the origin is in a different region.", "root_cause_type": "generic", "root_cause_zh": "CloudFront 要求所有自定义 SSL/TLS 证书必须在 us-east-1 区域预置，即使源站位于其他区域也是如此。", "versions": [ { "version": "CloudFront", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "ACM", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS Console 2023-2025", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "CloudFront's edge network is global and only ACM certificates in us-east-1 are supported for custom SSL. Other regions are rejected.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "", "why_fails": "CloudFront only accepts certificates from ACM or IAM, but IAM certificates are deprecated and ACM is the recommended path. Self-signed certificates are not trusted by browsers.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1", "success_rate": 0.9, "how": "Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1", "condition": "", "sources": [] }, { "action": "If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1", "success_rate": 0.85, "how": "If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1", "condition": "", "sources": [] } ], "workarounds_zh": [ "Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1", "If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2023-03-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }