指定的证书不在us-east-1区域。要与CloudFront一起使用,证书必须位于us-east-1区域
The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront
ID: policy/cloudfront-custom-ssl-certificate-not-in-us-east-1
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| CloudFront API 2020-05-31 | active | — | — | — |
| ACM API 2015-12-08 | active | — | — | — |
| AWS SDK for JavaScript v3 | active | — | — | — |
| AWS CLI v2 | active | — | — | — |
根因分析
CloudFront要求自定义SSL证书必须存储在ACM(AWS证书管理器)的us-east-1区域,无论分配的边缘位置或源区域如何。
English
CloudFront requires that custom SSL certificates be stored in ACM (AWS Certificate Manager) in the us-east-1 region, regardless of the distribution's edge location or origin region.
官方文档
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html解决方案
-
在ACM区域us-east-1中请求或导入SSL证书,然后将其关联到CloudFront分配。使用AWS CLI:aws acm request-certificate --domain-name example.com --region us-east-1
-
如果使用Terraform,将ACM资源的提供者区域设置为us-east-1:provider "aws" { alias = "cloudfront-cert" region = "us-east-1" } resource "aws_acm_certificate" "cert" { provider = aws.cloudfront-cert domain_name = "example.com" } -
如果不需要自定义域名,使用CloudFront的默认CloudFront证书(*.cloudfront.net),绕过自定义SSL证书的需求。
无效尝试
常见但无效的做法:
-
95% 失败
CloudFront only accepts certificates from us-east-1; other regions are not supported for custom SSL.
-
70% 失败
CloudFront requires ACM certificates for custom SSL; IAM certificates are deprecated and may cause compatibility issues.
-
100% 失败
The console will block the association entirely, and the error persists until the certificate is in us-east-1.