policy
config_error
ai_generated
true
The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront
ID: policy/cloudfront-custom-ssl-certificate-not-in-us-east-1
95%Fix Rate
92%Confidence
1Evidence
2023-03-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| CloudFront API 2020-05-31 | active | — | — | — |
| ACM API 2015-12-08 | active | — | — | — |
| AWS SDK for JavaScript v3 | active | — | — | — |
| AWS CLI v2 | active | — | — | — |
Root Cause
CloudFront requires that custom SSL certificates be stored in ACM (AWS Certificate Manager) in the us-east-1 region, regardless of the distribution's edge location or origin region.
generic中文
CloudFront要求自定义SSL证书必须存储在ACM(AWS证书管理器)的us-east-1区域,无论分配的边缘位置或源区域如何。
Official Documentation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.htmlWorkarounds
-
95% success Request or import the SSL certificate in ACM region us-east-1, then associate it with the CloudFront distribution. Use AWS CLI: aws acm request-certificate --domain-name example.com --region us-east-1
Request or import the SSL certificate in ACM region us-east-1, then associate it with the CloudFront distribution. Use AWS CLI: aws acm request-certificate --domain-name example.com --region us-east-1
-
90% success If using Terraform, set the provider region to us-east-1 for the ACM resource: provider "aws" { alias = "cloudfront-cert" region = "us-east-1" } resource "aws_acm_certificate" "cert" { provider = aws.cloudfront-cert domain_name = "example.com" }
If using Terraform, set the provider region to us-east-1 for the ACM resource: provider "aws" { alias = "cloudfront-cert" region = "us-east-1" } resource "aws_acm_certificate" "cert" { provider = aws.cloudfront-cert domain_name = "example.com" } -
80% success Use AWS CloudFront's default CloudFront certificate (*.cloudfront.net) if custom domain is not required, bypassing the need for a custom SSL certificate.
Use AWS CloudFront's default CloudFront certificate (*.cloudfront.net) if custom domain is not required, bypassing the need for a custom SSL certificate.
中文步骤
在ACM区域us-east-1中请求或导入SSL证书,然后将其关联到CloudFront分配。使用AWS CLI:aws acm request-certificate --domain-name example.com --region us-east-1
如果使用Terraform,将ACM资源的提供者区域设置为us-east-1:provider "aws" { alias = "cloudfront-cert" region = "us-east-1" } resource "aws_acm_certificate" "cert" { provider = aws.cloudfront-cert domain_name = "example.com" }如果不需要自定义域名,使用CloudFront的默认CloudFront证书(*.cloudfront.net),绕过自定义SSL证书的需求。
Dead Ends
Common approaches that don't work:
-
95% fail
CloudFront only accepts certificates from us-east-1; other regions are not supported for custom SSL.
-
70% fail
CloudFront requires ACM certificates for custom SSL; IAM certificates are deprecated and may cause compatibility issues.
-
100% fail
The console will block the association entirely, and the error persists until the certificate is in us-east-1.