AWS

CloudFrontInvalidViewerCertificate - CloudFront Invalid Viewer Certificate

Getting a **CloudFrontInvalidViewerCertificate** error means the SSL/TLS certificate you specified for CloudFront is invalid or not properly configured—CloudFront requires certificates to be in the us-east-1 region, valid and not expired, and issued by ACM. This client-side error (4xx) happens when AWS validates CloudFront certificate configuration. Most common when certificates aren't in us-east-1 region, but also appears when certificates are expired or invalid, certificate ARNs are incorrect, certificates aren't issued by ACM, or certificate domains don't match the distribution.

#Common Causes

  • Identity: IAM policy allows CloudFront but invalid certificate. Service Control Policy (SCP) enforces certificate validation.
  • Network: VPC endpoint CloudFront certificate restrictions. Certificate not in us-east-1 region.
  • Limits: Certificate not in us-east-1 region (CloudFront requirement). Certificate expired or invalid. Certificate ARN incorrect. Certificate not issued by ACM. Certificate domain mismatch.

Solutions

  1. 1Step 1: Diagnose - Check certificate region: Verify certificate is in us-east-1: aws acm list-certificates --region us-east-1 --query 'CertificateSummaryList[*].[CertificateArn,DomainName,Status]' --output table. CloudFront requires certificates in us-east-1.
  2. 2Step 2: Diagnose - Verify certificate validity: Check certificate status: aws acm describe-certificate --certificate-arn ARN --region us-east-1 --query 'Certificate.[DomainName,Status,NotAfter]' --output table. Verify status is 'ISSUED' and not expired.
  3. 3Step 3: Diagnose - Verify certificate ARN format: Check ARN format: arn:aws:acm:us-east-1:ACCOUNT:certificate/CERT_ID. Verify certificate exists: aws acm describe-certificate --certificate-arn ARN --region us-east-1.
  4. 4Step 4: Fix - Request certificate in us-east-1: Request certificate: aws acm request-certificate --domain-name DOMAIN --validation-method DNS --region us-east-1. Validate certificate. Wait for status to be 'ISSUED'.
  5. 5Step 5: Fix - Update CloudFront distribution: Get distribution config: aws cloudfront get-distribution-config --id DIST_ID > dist-config.json. Edit config to set ViewerCertificate with certificate ARN. Update distribution: aws cloudfront update-distribution --id DIST_ID --distribution-config file://dist-config.json --if-match ETAG.

</>Code Examples

List ACM Certificates in us-east-1 Region
1#!/bin/bash
2REGION="us-east-1"
3
4echo "=== ACM Certificates in ${REGION} ==="
5echo "CloudFront requires certificates in us-east-1"
6
7aws acm list-certificates --region ${REGION} \
8  --query 'CertificateSummaryList[*].[CertificateArn,DomainName,Status]' \
9  --output table
10
11echo "\n=== Valid Certificates (Status: ISSUED) ==="
12aws acm list-certificates --region ${REGION} \
13  --query "CertificateSummaryList[?Status=='ISSUED'].[CertificateArn,DomainName]" \
14  --output table
Verify Certificate Validity and Region
1#!/bin/bash
2CERT_ARN="arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
3REGION="us-east-1"
4
5echo "=== Verifying Certificate ==="
6echo "Certificate ARN: ${CERT_ARN}"
7
8# Check certificate region
9ARN_REGION=$(echo ${CERT_ARN} | cut -d: -f4)
10if [ "${ARN_REGION}" != "us-east-1" ]; then
11  echo "✗ Certificate is not in us-east-1 (CloudFrontInvalidViewerCertificate)"
12  echo "Current region: ${ARN_REGION}"
13  echo "CloudFront requires certificates in us-east-1"
14  exit 1
15else
16  echo "✓ Certificate is in us-east-1"
17fi
18
19# Get certificate details
20echo "\n=== Certificate Details ==="
21CERT_INFO=$(aws acm describe-certificate \
22  --certificate-arn ${CERT_ARN} \
23  --region ${REGION} \
24  --query 'Certificate.[DomainName,Status,NotAfter]' \
25  --output table 2>&1)
26
27if [ $? -eq 0 ]; then
28  echo "${CERT_INFO}"
29  
30  STATUS=$(aws acm describe-certificate \
31    --certificate-arn ${CERT_ARN} \
32    --region ${REGION} \
33    --query 'Certificate.Status' \
34    --output text)
35  
36  if [ "${STATUS}" != "ISSUED" ]; then
37    echo "\n✗ Certificate status: ${STATUS} (must be ISSUED)"
38    echo "Certificate not ready for CloudFront (CloudFrontInvalidViewerCertificate)"
39  else
40    echo "\n✓ Certificate status: ISSUED"
41  fi
42else
43  echo "✗ Certificate not found or error: ${CERT_INFO}"
44fi
Request Certificate in us-east-1 for CloudFront
1#!/bin/bash
2DOMAIN="example.com"
3REGION="us-east-1"
4
5echo "=== Requesting Certificate for CloudFront ==="
6echo "Domain: ${DOMAIN}"
7echo "Region: ${REGION} (required for CloudFront)"
8
9CERT_ARN=$(aws acm request-certificate \
10  --domain-name ${DOMAIN} \
11  --validation-method DNS \
12  --region ${REGION} \
13  --query 'CertificateArn' \
14  --output text 2>&1)
15
16if [ $? -eq 0 ] && [ ! -z "${CERT_ARN}" ]; then
17  echo "\n✓ Certificate requested: ${CERT_ARN}"
18  echo "\n=== Next Steps ==="
19  echo "1. Validate certificate (DNS or email)"
20  echo "2. Wait for status to become 'ISSUED'"
21  echo "3. Use certificate ARN in CloudFront distribution"
22  echo "\nCheck status:"
23  echo "aws acm describe-certificate --certificate-arn ${CERT_ARN} --region ${REGION}"
24else
25  echo "\n✗ Failed to request certificate"
26  echo "Error: ${CERT_ARN}"
27fi

Related Errors

InvalidParameterValueValidationException

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

CloudFrontInvalidViewerCertificate - CloudFront Invalid Viewer Certificate | AWS Error Reference | Error Code Reference