{
  "id": "policy/cloudfront-custom-ssl-certificate-not-in-us-east-1",
  "signature": "The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront",
  "signature_zh": "指定的证书不在us-east-1区域。要与CloudFront一起使用，证书必须位于us-east-1区域",
  "regex": "The certificate specified is not in the us-east-1 region",
  "domain": "policy",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "CloudFront requires that custom SSL certificates be stored in ACM (AWS Certificate Manager) in the us-east-1 region, regardless of the distribution's edge location or origin region.",
  "root_cause_type": "generic",
  "root_cause_zh": "CloudFront要求自定义SSL证书必须存储在ACM（AWS证书管理器）的us-east-1区域，无论分配的边缘位置或源区域如何。",
  "versions": [
    {
      "version": "CloudFront API 2020-05-31",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "ACM API 2015-12-08",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS SDK for JavaScript v3",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS CLI v2",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "CloudFront only accepts certificates from us-east-1; other regions are not supported for custom SSL.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "CloudFront requires ACM certificates for custom SSL; IAM certificates are deprecated and may cause compatibility issues.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The console will block the association entirely, and the error persists until the certificate is in us-east-1.",
      "fail_rate": 1.0,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Request or import the SSL certificate in ACM region us-east-1, then associate it with the CloudFront distribution. Use AWS CLI: aws acm request-certificate --domain-name example.com --region us-east-1",
      "success_rate": 0.95,
      "how": "Request or import the SSL certificate in ACM region us-east-1, then associate it with the CloudFront distribution. Use AWS CLI: aws acm request-certificate --domain-name example.com --region us-east-1",
      "condition": "",
      "sources": []
    },
    {
      "action": "If using Terraform, set the provider region to us-east-1 for the ACM resource: provider \"aws\" { alias = \"cloudfront-cert\" region = \"us-east-1\" } resource \"aws_acm_certificate\" \"cert\" { provider = aws.cloudfront-cert domain_name = \"example.com\" }",
      "success_rate": 0.9,
      "how": "If using Terraform, set the provider region to us-east-1 for the ACM resource: provider \"aws\" { alias = \"cloudfront-cert\" region = \"us-east-1\" } resource \"aws_acm_certificate\" \"cert\" { provider = aws.cloudfront-cert domain_name = \"example.com\" }",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use AWS CloudFront's default CloudFront certificate (*.cloudfront.net) if custom domain is not required, bypassing the need for a custom SSL certificate.",
      "success_rate": 0.8,
      "how": "Use AWS CloudFront's default CloudFront certificate (*.cloudfront.net) if custom domain is not required, bypassing the need for a custom SSL certificate.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "在ACM区域us-east-1中请求或导入SSL证书，然后将其关联到CloudFront分配。使用AWS CLI：aws acm request-certificate --domain-name example.com --region us-east-1",
    "如果使用Terraform，将ACM资源的提供者区域设置为us-east-1：provider \"aws\" { alias = \"cloudfront-cert\" region = \"us-east-1\" } resource \"aws_acm_certificate\" \"cert\" { provider = aws.cloudfront-cert domain_name = \"example.com\" }",
    "如果不需要自定义域名，使用CloudFront的默认CloudFront证书(*.cloudfront.net)，绕过自定义SSL证书的需求。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.92,
  "fix_success_rate": 0.95,
  "resolvable": "true",
  "first_seen": "2023-03-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}