Terraform: CertificateNotFound when creating ALB https listener. Certificate was issued in ACM

Created on 6 Mar 2019  ·  6Comments  ·  Source: hashicorp/terraform

Hi,
I've applied AWS ACM certificate(us-east-1), and it was Issued months ago.
But when I was creating https listener of Application Load Balancer(In ap-southeast-2), it always gives me a Certificate Not Found error. Below is my code snippet:

provider "aws" {
region = "${var.aws_region}"
}
provider "aws" {
region = "us-east-1"
alias = "us-east-1"
}

data "aws_acm_certificate" "cert_global" {
provider = "aws.us-east-1"
domain = "*.aussielead.com"
statuses = ["ISSUED"]
}
resource "aws_alb_listener" "alb_listener_https" {
load_balancer_arn = "${aws_alb.ALB-DEV-SERVER.arn}"
port = "${var.alb_listener_port_https}"
protocol = "${var.alb_listener_protocol_https}"
certificate_arn = "${data.aws_acm_certificate.cert_global.arn}"
ssl_policy = "${var.listener_ssl_policy_default}"

default_action {
target_group_arn = "${aws_alb_target_group.alb_target_group_https.arn}"
type = "forward"
}
}

Below is the error log:
aws_alb_listener.alb_listener_https: Creating...
arn: "" => ""
certificate_arn: "" => "arn:aws:acm:us-east-1:XXXXXXX:certificate/XXXXXa1726"
default_action.#: "" => "1"
default_action.0.order: "" => ""
default_action.0.target_group_arn: "" => "arn:aws:elasticloadbalancing:ap-southeast-2:XXXXXXX:targetgroup/DEV-HTTPS/XXXXXXX63e"
default_action.0.type: "" => "forward"
load_balancer_arn: "" => "arn:aws:elasticloadbalancing:ap-southeast-2:XXXXXXXX:loadbalancer/app/ALB-DEV-SERVER/XXXXXXb2653c"
port: "" => "443"
protocol: "" => "HTTPS"
ssl_policy: "" => "ELBSecurityPolicy-2016-08"
aws_alb_listener.alb_listener_https: Still creating... (10s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (20s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (30s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (40s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (50s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (1m0s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (1m10s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (1m20s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (1m30s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (1m40s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (1m50s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (2m0s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (2m10s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (2m20s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (2m30s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (2m40s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (2m50s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (3m0s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (3m10s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (3m20s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (3m30s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (3m40s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (3m50s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (4m0s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (4m10s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (4m20s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (4m30s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (4m40s elapsed)
aws_alb_listener.alb_listener_https: Still creating... (4m50s elapsed)

Error: Error applying plan:

1 error(s) occurred:

  • aws_alb_listener.alb_listener_https: 1 error(s) occurred:

  • aws_alb_listener.alb_listener_https: Error creating LB Listener: CertificateNotFound: Certificate 'arn:aws:acm:us-east-1:XXXXXX:certificate/XXXXXXX6a1726' not found
    status code: 400, request id: d35c820b-4005-11e9-af0a-91418214e46c

So from the log, we know that it got the right certificate arn in us-east-1, but I can't understand why finally it got an not found error.

Terraform Version

...

Terraform Configuration Files

...

Debug Output

Crash Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Additional Context

References

provideaws
Source
picture wangcarlton

Most helpful comment

Hi ,

The issue is because you dont have certificate on ap-southeast-2 , the certificate you have is only on us-east-1 , generate a certificate using ACM on ap-southeast-2 region and it will work with ALB .

picture mravindrabigsofa on 6 Mar 2019
👍2

All 6 comments

Hi ,

The issue is because you dont have certificate on ap-southeast-2 , the certificate you have is only on us-east-1 , generate a certificate using ACM on ap-southeast-2 region and it will work with ALB .

mravindrabigsofa picture mravindrabigsofa on 6 Mar 2019
👍2

Hi @wangcarlton,

according to AWS documentation, ACM certificates are 'regional resources', which would mean that in order to use an ACM certificate with an ALB in ap-southeast-2, the certificate would have to be created in that same region. The only exception to this is Cloudfront, where a certificate only needs to exist in us-east-1, and it will propagate automatically.

See: https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

So, just create an ACM cert in ap-southeast-2, remove the second provider from your code (unless you need it for something else), and you should be fine.

bennycornelissen picture bennycornelissen on 6 Mar 2019
👍1

Thank you for replying, apparentlymart introduced this way in
https://github.com/hashicorp/terraform/issues/10957
So this only applies to CloudFront? If that's the answer, I will create a new ACM certificate in ap-southeast-2 region..
Thank you all

wangcarlton picture wangcarlton on 6 Mar 2019

@wangcarlton as I understand from the docs, that only applies to Cloudfront indeed. Anyway, hope this fixes it for you. 😄

bennycornelissen picture bennycornelissen on 6 Mar 2019

This issue has been automatically migrated to terraform-providers/terraform-provider-aws#7828 because it looks like an issue with that provider. If you believe this is _not_ an issue with the provider, please reply to terraform-providers/terraform-provider-aws#7828.

hashibot[bot] picture hashibot[bot] on 6 Mar 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 29 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

franklinwise picture franklinwise  ·  3Comments
darron picture darron  ·  3Comments
shanmugakarna picture shanmugakarna  ·  3Comments
zeninfinity picture zeninfinity  ·  3Comments
rjinski picture rjinski  ·  3Comments