policy
config_error
ai_generated
true
指定的证书不在 us-east-1 区域。与 CloudFront 一起使用的证书必须位于 us-east-1 区域。
The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront.
ID: policy/cloudfront-custom-ssl-certificate-must-be-in-us-east-1
85%修复率
88%置信度
1证据数
2023-03-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| CloudFront | active | — | — | — |
| ACM | active | — | — | — |
| AWS Console 2023-2025 | active | — | — | — |
根因分析
CloudFront 要求所有自定义 SSL/TLS 证书必须在 us-east-1 区域预置,即使源站位于其他区域也是如此。
English
CloudFront requires all custom SSL/TLS certificates to be provisioned in the us-east-1 region, even if the origin is in a different region.
官方文档
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html解决方案
-
Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1
-
If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1
无效尝试
常见但无效的做法:
-
95% 失败
CloudFront's edge network is global and only ACM certificates in us-east-1 are supported for custom SSL. Other regions are rejected.
-
80% 失败
CloudFront only accepts certificates from ACM or IAM, but IAM certificates are deprecated and ACM is the recommended path. Self-signed certificates are not trusted by browsers.