Stuck with the CloudFront InvalidViewerCertificate? We can help you.
We come across an “InvalidViewerCertificate” error exception while we try to create or update an Amazon CloudFront distribution.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
How can I resolve this?
In order to resolve this, our Support Techs recommend the steps below.
“The specified SSL certificate doesn’t exist, isn’t in us-east-1 region, isn’t valid, or doesn’t include a valid certificate chain.”
This indicates that the certificate doesn’t meet one or more of the following requirements to import into AWS Certificate Manager (ACM), or for association with a distribution:
- Import in the US East (N. Virginia) Region.
- 2048 bits or smaller.
- Must not be password-protected.
- Must be PEM encoded.
To associate, we must make sure they meet these requirements.
Or, we can request a public certificate from ACM in the US East (N. Virginia) Region to meet the requirements.
Then, we can associate it with our distribution.
“To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name.”
This indicates that the Subject Alternative Name of the certificate we provide does not cover the alternate domain names on the distribution.
To fix this, we can request a public certificate with ACM, or we can contact the certificate authority (CA).
“The certificate that is attached to your distribution has too many certificates in the certificate chain.”
When the number of certificates in the chain exceeds the maximum value of five, it leads to this error.
In this case, we need a new certificate chain with five or fewer certificates.
However, if the current CA doesn’t support this, we can use ACM to issue a free valid certificate.
“The certificate that is attached to your distribution has one or more expired certificates in the certificate chain. Make sure that each certificate in the chain is valid for the current date by reviewing the Not Valid After field.”
If one or more of the certificate chains expires in the certificate that CloudFront tries to use, we come across this message.
Here, we can download the proper chain files from the CA, and reimport the certificate and chain files to either ACM or AWS IAM.
Then, we retry the request.
“The certificate that is attached to your distribution has one or more certificates in the certificate chain that aren’t valid yet. Make sure that each certificate in the chain is valid for the current date by reviewing the Not Valid Before field.”
This indicates that one or more of the certificate chains are invalid.
The certificate is not valid yet because the start date of the certificate is in the future.
In this case, we can download the proper chain files, and reimport the certificate and chain files.
Eventually, we retry the request.
“The certificate that is attached to your distribution was not issued by a trusted Certificate Authority.”
We need to issue a certificate from a trusted CA for CloudFront to allow us to use an alternate domain name (CNAME).
However, it does not support Self-signed certificates.
“The certificate that is attached to your distribution has a value in the SAN field that is not correctly formatted.”
If the Subject Alternative Name doesn’t properly format, we face this error.
CloudFront requires every entry to either be a DNS name with a fully qualified domain name (FQDN) or an IP address of a server.
Wildcard entries are valid, but we can’t add alternate domain names that are at higher or lower levels than the wildcard.
“The certificate that you specified doesn’t cover the alternate domain name (CNAME) that you’re trying to add.”
This error message indicates that one or more of the alternate domain names that we try to associate to the distribution is not in the certificate’s SAN in the CreateDistribution or UpdateDistribution API calls.
In such a case, we need to verify that we provide the correct certificate in the API call.
“CloudFront encountered an internal error. Please try again.”
This error means there was an internal problem while issuing the CreateDistribution or UpdateDistribution API call.
As a best practice, our Support Techs recommend retrying the API call later.
If the error persists, we check the AWS Service Health Dashboard for possible ongoing issues.
[Still, facing the error? Feel free to contact us]
In short, we saw how our Support Techs fix the CloudFront InvalidViewerCertificate errors.