Aws-cli: aws acm list-certificates not listing imported certificates?

It seems will not list certs with 4096 rsa keys bits. 2048 lists fine.

Without knowing the CLI version or seeing a --debug log, it's hard to tell why that's happening. I would say try first upgrading to the latest version of the CLI and test. If there is still an issue, please use the --debug option and please post a sanitized debug log so we can look into this issue further. Thanks.

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

@justnance I'm running into the same issue. Here's a sanitized debug log:

2018-08-02 10:09:26,788 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.15.4 Python/2.7.12 Linux/4.15.0-29-generic botocore/1.10.4
2018-08-02 10:09:26,789 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['acm', 'list-certificates', '--debug']
2018-08-02 10:09:26,789 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x7fdc7092f758>
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7fdc714b3668>
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable credentials_file from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable config_file from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable metadata_service_timeout from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable metadata_service_num_attempts from defaults.
2018-08-02 10:09:26,789 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,790 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7fdc70a22b18>
2018-08-02 10:09:26,790 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,790 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,790 - MainThread - botocore.session - DEBUG - Loading variable api_versions from defaults.
2018-08-02 10:09:26,790 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/mark/.local/lib/python2.7/site-packages/botocore/data/acm/2015-12-08/service-2.json
2018-08-02 10:09:26,794 - MainThread - botocore.hooks - DEBUG - Event service-data-loaded.acm: calling handler <function register_retries_for_service at 0x7fdc71def668>
2018-08-02 10:09:26,795 - MainThread - botocore.handlers - DEBUG - Registering retry handlers for service: acm
2018-08-02 10:09:26,796 - MainThread - botocore.hooks - DEBUG - Event building-command-table.acm: calling handler <function add_waiters at 0x7fdc70936aa0>
2018-08-02 10:09:26,798 - MainThread - awscli.clidriver - DEBUG - OrderedDict([(u'certificate-statuses', <awscli.arguments.ListArgument object at 0x7fdc707648d0>), (u'includes', <awscli.arguments.CLIArgument object at 0x7fdc70764910>), (u'next-token', <awscli.arguments.CLIArgument object at 0x7fdc70764950>), (u'max-items', <awscli.arguments.CLIArgument object at 0x7fdc70764990>)])
2018-08-02 10:09:26,799 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.list-certificates: calling handler <function add_streaming_output_arg at 0x7fdc7092fa28>
2018-08-02 10:09:26,799 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.list-certificates: calling handler <function add_cli_input_json at 0x7fdc714be488>
2018-08-02 10:09:26,799 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.list-certificates: calling handler <function unify_paging_params at 0x7fdc709c0140>
2018-08-02 10:09:26,802 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/mark/.local/lib/python2.7/site-packages/botocore/data/acm/2015-12-08/paginators-1.json
2018-08-02 10:09:26,802 - MainThread - awscli.customizations.paginate - DEBUG - Modifying paging parameters for operation: ListCertificates
2018-08-02 10:09:26,802 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.list-certificates: calling handler <function add_generate_skeleton at 0x7fdc709a1050>
2018-08-02 10:09:26,802 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.acm.list-certificates: calling handler <bound method CliInputJSONArgument.override_required_args of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7fdc707649d0>>
2018-08-02 10:09:26,802 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.acm.list-certificates: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7fdc70764d90>>
2018-08-02 10:09:26,803 - MainThread - botocore.hooks - DEBUG - Event operation-args-parsed.acm.list-certificates: calling handler <functools.partial object at 0x7fdc707a95d0>
2018-08-02 10:09:26,803 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.certificate-statuses: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,803 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.includes: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,803 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.next-token: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,804 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.max-items: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,804 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.cli-input-json: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,804 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.starting-token: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,804 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.page-size: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,804 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.list-certificates.generate-cli-skeleton: calling handler <function uri_param at 0x7fdc71557aa0>
2018-08-02 10:09:26,804 - MainThread - botocore.hooks - DEBUG - Event calling-command.acm.list-certificates: calling handler <bound method CliInputJSONArgument.add_to_call_parameters of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7fdc707649d0>>
2018-08-02 10:09:26,804 - MainThread - botocore.hooks - DEBUG - Event calling-command.acm.list-certificates: calling handler <bound method GenerateCliSkeletonArgument.generate_json_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7fdc70764d90>>
2018-08-02 10:09:26,804 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,804 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,804 - MainThread - botocore.session - DEBUG - Loading variable region from config file with value 'us-east-1'.
2018-08-02 10:09:26,804 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,804 - MainThread - botocore.session - DEBUG - Loading variable ca_bundle from defaults.
2018-08-02 10:09:26,804 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,804 - MainThread - botocore.session - DEBUG - Loading variable api_versions from defaults.
2018-08-02 10:09:26,804 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2018-08-02 10:09:26,805 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2018-08-02 10:09:26,805 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2018-08-02 10:09:26,805 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2018-08-02 10:09:26,805 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/mark/.local/lib/python2.7/site-packages/botocore/data/endpoints.json
2018-08-02 10:09:26,818 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,818 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7fdc71debde8>
2018-08-02 10:09:26,819 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.acm: calling handler <function add_generate_presigned_url at 0x7fdc71e29500>
2018-08-02 10:09:26,819 - MainThread - botocore.args - DEBUG - The s3 config key is not a dictionary type, ignoring its value of: None
2018-08-02 10:09:26,821 - MainThread - botocore.endpoint - DEBUG - Setting acm timeout as (60, 60)
2018-08-02 10:09:26,822 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: acm
2018-08-02 10:09:26,822 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,822 - MainThread - botocore.session - DEBUG - Loading variable profile from defaults.
2018-08-02 10:09:26,822 - MainThread - botocore.session - DEBUG - Loading variable output from config file with value 'json'.
2018-08-02 10:09:26,823 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.acm.ListCertificates: calling handler <function generate_idempotent_uuid at 0x7fdc71def0c8>
2018-08-02 10:09:26,823 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=ListCertificates) (verify_ssl=True) with params: {'body': '{}', 'url': u'https://acm.us-east-1.amazonaws.com/', 'headers': {'User-Agent': 'aws-cli/1.15.4 Python/2.7.12 Linux/4.15.0-29-generic botocore/1.10.4', 'Content-Type': u'application/x-amz-json-1.1', 'X-Amz-Target': u'CertificateManager.ListCertificates'}, 'context': {'auth_type': None, 'client_region': 'us-east-1', 'has_streaming_input': False, 'client_config': <botocore.config.Config object at 0x7fdc70569890>}, 'query_string': '', 'url_path': '/', 'method': u'POST'}
2018-08-02 10:09:26,823 - MainThread - botocore.hooks - DEBUG - Event request-created.acm.ListCertificates: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7fdc70569850>>
2018-08-02 10:09:26,823 - MainThread - botocore.hooks - DEBUG - Event choose-signer.acm.ListCertificates: calling handler <function set_operation_specific_signer at 0x7fdc71debf50>
2018-08-02 10:09:26,823 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2018-08-02 10:09:26,823 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-amz-json-1.1
host:acm.us-east-1.amazonaws.com
x-amz-date:20180802T160926Z
x-amz-target:CertificateManager.ListCertificates

content-type;host;x-amz-date;x-amz-target
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
2018-08-02 10:09:26,824 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20180802T160926Z
20180802/us-east-1/acm/aws4_request
fb3f88d3601c442d71b0329af84c51f1e3184ef48184ebfac462be932ab5e7d3
2018-08-02 10:09:26,824 - MainThread - botocore.auth - DEBUG - Signature:
332813d5fa6948b5b9dc896310a5a59a508627ad9b54f1d8846c06eed3e0b267
2018-08-02 10:09:26,825 - MainThread - botocore.endpoint - DEBUG - Sending http request: <PreparedRequest [POST]>
2018-08-02 10:09:26,826 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTPS connection (1): acm.us-east-1.amazonaws.com
2018-08-02 10:09:27,165 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "POST / HTTP/1.1" 200 568
2018-08-02 10:09:27,167 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-requestid': '6e041438-966e-11e8-afbb-e564b8953e20', 'date': 'Thu, 02 Aug 2018 16:09:26 GMT', 'content-length': '568', 'content-type': 'application/x-amz-json-1.1'}
2018-08-02 10:09:27,167 - MainThread - botocore.parsers - DEBUG - Response body:
{"CertificateSummaryList":[{"CertificateArn":"arn1:","DomainName":"1"},{"CertificateArn":"arn2","DomainName":"2"},{"CertificateArn":"arn3","DomainName":"3"},{"CertificateArn":"arn4","DomainName":"4"}]}
2018-08-02 10:09:27,169 - MainThread - botocore.hooks - DEBUG - Event needs-retry.acm.ListCertificates: calling handler <botocore.retryhandler.RetryHandler object at 0x7fdc707dc990>
2018-08-02 10:09:27,169 - MainThread - botocore.retryhandler - DEBUG - No retry needed.

Looks like my 5th cert isn't coming down in the response (that's the 4096 bit one). I also tested this with the java sdk (v1.11.230) and the 5th cert isn't coming down there either.

@msiebert Turns out the cause is that ACM / ALB do not support 4096-bit RSA keys: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

ACM allows you to upload the cert, but they are then not listed in the API or usable with ALBs.

I see. Thanks for the help!

same here. would like to use RSA 4096 bit to setup our ALB. This breaks my new implementation.

you'll have to use IAM Server Certificates, not ACM:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html

@msiebert, thanks for providing the debug logs. @bendavies, thank you for your feedback and for pointing out the service limitation. closing issue.

Generated my key as 2048 bit an uploaded to ACM, fixed the problem for me:
openssl req -new -newkey rsa:2048 -x509 -sha256 -days 365 -nodes -out MyCertificate.crt -keyout MyKey.key