I tried to delete my ACM certificate but received an error that it's in use with other AWS resources

3 minute read
3

I want to delete an AWS Certificate Manager (ACM) certificate. However, I receive an error similar to "The certificate is in use (associated with other AWS resources) and cannot be deleted. Disassociate the certificate from each resource in the list and try again."

Short description

Deploying an edge-optimized API endpoint creates an Amazon CloudFront distribution by Amazon API Gateway. Deploying a Regional API endpoint creates an Application Load Balancer by API Gateway. The CloudFront distribution or Application Load Balancer is owned by API Gateway, not your account. The ACM certificate provided to deploy API Gateway is associated with the CloudFront distribution or Application Load Balancer.

Similarly, adding a custom domain to your Amazon Cognito user pool creates a CloudFront distribution. The CloudFront distribution is owned by the Amazon Cognito service, not by your account. The ACM certificate that's provided when you create the custom domain is associated with the CloudFront distribution.

Defining a custom endpoint for your domain in Amazon OpenSearch Service creates an Application Load Balancer. The Application Load Balancer is owned by the OpenSearch Service, not by your account. The ACM certificate that's provided when you create the custom endpoint is associated with the Application Load Balancer.

Note: You can check the resource that the ACM certificate is associated with by running the describe-certificate command with AWS Command Line Interface (AWS CLI).

Resolution

Remove the association of the ACM certificate with the CloudFront distribution or Application Load Balancer. To do this, you must replace the ACM certificate associated with the custom domain, or delete the custom domain.

Important:

To remove the association of the ACM certificate, do one of the following:

Then, delete the ACM certificate.


Related information

API Gateway problems

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
5 Comments

My SAM stack delete has just failed because a Certificate cannot be deleted because it has an "associated resource" pointing to the Cloud Front distribution that I created in the same stack. The Cloud Front distribution has been marked as successfully deleted. It's already been 2 days and the Certificate still thinks there is an associated resource. Any ideas what to do in this scenario?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

I'm facing the same issue, it's been 1 day already since I deleted the associated API gateway custom domain. The certificate still seems to be associated to some resources that does not exist in my account, this is what i see:

Associated resources (3)

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-104/87ea7bd28e18ef45

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-793/dd9eb9379f71a0ba

arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-862/56fc8591797a2875

This shown account id is not mine.

profile picture
Kevin
replied 24 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 24 days ago

i got the same problem. created a temp certificate for testing purpose, after i deleted the domain cname record and all other resources, ther cert still think it is associated with a cloudfront distribution arn:aws:cloudfront::474240146802:distribution/E1UDZSUB323PD4 facing the same problem as kevin, this is not my account id

pfandie
replied 22 days ago