# 指定的证书不在us-east-1区域。要与CloudFront一起使用，证书必须位于us-east-1区域

- **ID:** `policy/cloudfront-custom-ssl-certificate-not-in-us-east-1`
- **领域:** policy
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 95%

## 根因

CloudFront要求自定义SSL证书必须存储在ACM（AWS证书管理器）的us-east-1区域，无论分配的边缘位置或源区域如何。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| CloudFront API 2020-05-31 | active | — | — |
| ACM API 2015-12-08 | active | — | — |
| AWS SDK for JavaScript v3 | active | — | — |
| AWS CLI v2 | active | — | — |

## 解决方案

1. ```
   在ACM区域us-east-1中请求或导入SSL证书，然后将其关联到CloudFront分配。使用AWS CLI：aws acm request-certificate --domain-name example.com --region us-east-1
   ```
2. ```
   如果使用Terraform，将ACM资源的提供者区域设置为us-east-1：provider "aws" { alias = "cloudfront-cert" region = "us-east-1" } resource "aws_acm_certificate" "cert" { provider = aws.cloudfront-cert domain_name = "example.com" }
   ```
3. ```
   如果不需要自定义域名，使用CloudFront的默认CloudFront证书(*.cloudfront.net)，绕过自定义SSL证书的需求。
   ```

## 无效尝试

- **** — CloudFront only accepts certificates from us-east-1; other regions are not supported for custom SSL. (95% 失败率)
- **** — CloudFront requires ACM certificates for custom SSL; IAM certificates are deprecated and may cause compatibility issues. (70% 失败率)
- **** — The console will block the association entirely, and the error persists until the certificate is in us-east-1. (100% 失败率)