# 指定的证书不在 us-east-1 区域。与 CloudFront 一起使用的证书必须位于 us-east-1 区域。

- **ID:** `policy/cloudfront-custom-ssl-certificate-must-be-in-us-east-1`
- **领域:** policy
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

CloudFront 要求所有自定义 SSL/TLS 证书必须在 us-east-1 区域预置，即使源站位于其他区域也是如此。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| CloudFront | active | — | — |
| ACM | active | — | — |
| AWS Console 2023-2025 | active | — | — |

## 解决方案

1. ```
   Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1
   ```
2. ```
   If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1
   ```

## 无效尝试

- **** — CloudFront's edge network is global and only ACM certificates in us-east-1 are supported for custom SSL. Other regions are rejected. (95% 失败率)
- **** — CloudFront only accepts certificates from ACM or IAM, but IAM certificates are deprecated and ACM is the recommended path. Self-signed certificates are not trusted by browsers. (80% 失败率)