[Solved] Cannot delete certificate, CloudFront distribution not showing

I setup an Amazon Certificate for my sub-domain, now I figured I created that certificate under the wrong region and I’m trying to delete it. But I can’t.

Associated resource is arn:aws:cloudfront::061510835048:distribution/E2M97MJO774XJM, so I look at cloudfront and:

I don’t have any. :confused:
I therefore cannot delete whatever cloudfront I have. I tried to run sls remove for both development and production environments but it didn’t clean it either.

I looked a bit around and found this SO topic: amazon web services - CloudFront distribution not showing as Route53 alias target - Stack Overflow

Maybe it’s a AWS bug and SLS cannot do anything about it, I remember I read something similar about an AWS service that wasn’t showing stuff correctly for weeks and then it appeared. (cloudfront maybe? can’t recall)

Don’t know what to do to remove that certificate. I’ll take a look at CLI commands to see if there is anything on cloudfront running.


Edit 1: I did play around with the cli and I still cannot find any existing distribution.

(studylink-dev) ➜  simulator-feedback git:(master) ✗ aws cloudfront list-distributions
(studylink-dev) ➜  simulator-feedback git:(master) ✗ 
1 Like

I got a reply from AWS support:

I have spoken to our CloudFront team, and they have mentioned that the reason you cannot delete the CloudFront Distribution is due to it being used by your API Gateway.

API Gateway is currently using the CloudFront Distribution behind the scenes, and you will need to delete the API Gateway first.

The following link will provide you some relief in this:

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-delete-model.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowToDeleteDistribution.html

I hope that helps and should you have any further questions or concerns, do not hesitate to contact us again.

I looked into my CloudFront and couldn’t see no distribution in any region.
I’m moving on with this issue, but existing stuff not showing up is definitely gonna make things harder to debug.

1 Like

I believe there is an issue when running sls remove, it doesn’t remove the associated resources of a certificate.

For instance, when a certificate has been applied on a CloudFront distribution, when the distribution is removed by Serverless, the link between the two isn’t removed.

Which leads to situation where we cannot remove the certificate itself. I’ve been struggling for days to apply a new certificate and I’m still having issues because I cannot find the associated resources of the certificate. And the certificate won’t allow to be deleted until all associated resources have been deleted.

Edit: Actually, the issue kinda was that sls remove doesn’t remove domains created by sls create_domain, which is okay. But I wasn’t aware of what sls create_domain was creating behind the scene.

2 Likes

I finally got a clear answer from the AWS support, and this this issue seem to be rather common/critical I’ll detail how to resolve it, since I spent about a week stuck on it.

Note: You can either choose to delete the distributions or associate the new certificate with the existing certificate, If you choose to replace the existing certificate with the new certificate follow these steps else skip the step 1.

Since you have certificate issue it is recommended to create a new certificate and replace it with existing certificate.

         Step 1: Logon to AWS console and Navigate to the certificate manager (ACM) and request a new certificate for ‘*.simulator.studylink.fr’ and ‘simulator.studylink.fr’ in us-
                      east-1 region.

Note: You can request the certificate for ‘*.simulator.studylink.fr’ and ‘simulator.studylink.fr’ in a single certificate you don’t require two certificates.

Please refer the following document [1]. --> ACM certificate characteristics -->  Multiple Domain Names.

        Step 2: Now that you have created the certificate navigate to API Gateway.

	Step 3: As you have deleted all the API Gateways please create an sample API to 
                            get access to the console.

	Step 4: Navigate to “custom domain names” you can locate it on the left side menu.

Now you will be able to see the cloud front distributions, now either you can choose to delete these distributions or just edit the custom domain names and replace the existing certificate with the newly created certificate, Do this for all the three domain names.
Custom domain name -->Edit-->ACM certificate --> select the newly generated certificate -->Save.

       Step 5: Now you can delete the old certificate.

Links:

[1] https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html

Basically, when we run sls create_domain, we create a domain which can only be seen in the API Gateway. But it’s tricky because even if you have something running, the API Gateway home page doesn’t necessarily show it. For instance there:

It shows me “getting started”. But if I click on the Get started button:

I do have an API running. (it’s only an example API but still)

So, if you haven’t created any API, just create one and use the sample. Then you can access to Custom Domain Names.

And then, you can edit a “Custom Domain” and assign a new certificate:

Then, you can go back to the Certificate Manager and delete the old certificate, which isn’t used anymore. (assuming none of the Custom Domains you have is using it)

I did it for my 3 custom domains and I’m good to go! Finally.

N.B: You must create all your certificates in the default us-east-1 region, you musn’t create them in another region if you want to use them in the API Gateway. I was wrong at first when thinking I should create my certificates in the Paris region.

4 Likes

Thanks - this is great.

I spent a good few hours trying to figure out why my certificate was marked as being used by CloudFront, yet I couldn’t see any distributions!

ps. I did have to wait 10-20 mins for the CloudFront distribution to release the certificate, and finally show as not in use.

2 Likes

I am having the same problem, but here the ressources in question are load balancers. I can’t delete or even find them for the life of it. Neither via CLI, nor the GUI. Any tips?

1 Like

I have the exact same problem. Can’t delete or find the load balancers which are shown as attached to the certificate.

1 Like

Whi is this closed? Seems like it’s not resolved. For the issue is that sls remove only disable the CloudFront distribution, but doesn’t delete it.