Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CDK Certificate Manager fromCertificateArn "The provided certificate does not exist"

See original GitHub issue

I’m submitting a …
- 🪲 bug report
- 🚀 feature request
- 📚 construct library gap
- ☎️ security issue or vulnerability => Please see policy
- ❓ support request => Please see note at the top of this template.
What is the current behavior? I use typescript CDK to create an API gateway LambdaRestApi with a certificate in the domainName. I get the certificate using certmanager.Certificate.fromCertificateArn passing the entire arn, like arn:aws:acm:REGION:ACC_ID:certificate/CERT_ID, but when deploying the stack, I get error: The provided certificate does not exist
What is the expected behavior (or behavior of feature suggested)? To get the certificate using the ARN and inject that to the APIGW provider.
Please tell us about your environment:
- CDK CLI Version: 1.3.0 (build bba9914)
- Module Version: @aws-cdk/aws-certificatemanager 1.3.0
- OS: [ OSX Mojave 10.14.6 ]
- Language: [ TypeScript ]
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

Here’s a code sample:

var certArn = 'arn:aws:acm:REGION:ACCOUNT:certificate/ID'
const cert = certmanager.Certificate.fromCertificateArn(this, 'SomeCertName', certArn);

// Set up the API and its resources
const apiGW = new apigw.LambdaRestApi(this, 'RestAPIName',
    {
    handler: getTenantsLambdaFn,
    domainName: {
        domainName: 'SOMEDOMAINNAME',
        certificate: cert,
    },
    deployOptions: {
        loggingLevel: apigw.MethodLoggingLevel.INFO,
        dataTraceEnabled: true
    },
    proxy: false
});

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:6 (2 by maintainers)

Top GitHub Comments

3reactions

peterreevescommented, Oct 14, 2020

Hi @nija-at , I seem to be having the same issue.

I’m using the LambdaRestApi construct, and I want to add a domain to it. The certificate already exists (It’s a wildcard cert, I’ve been using it on other projects for while now, so it’s definitely valid).

const CERTIFICATE_ARN: string = "arn:aws:acm:ap-southeast-2:XXX";
const VENDOR_DOMAIN: string = "vendor.test.XXX";

export class DeployStack extends cdk.Stack {
    constructor(...) {
        ...

        const cert = certificatemanager.Certificate.fromCertificateArn(this, "certificate", CERTIFICATE_ARN);

        const api = new apigateway.LambdaRestApi(this, "api", {
            handler: backend,
            binaryMediaTypes: ["*/*"],
        });
        api.addDomainName("vendor_domain", {
            domainName: VENDOR_DOMAIN,
            certificate: cert,
        });
    }
}

However, when I try to do cdk deploy, I get a long error message saying that the certificate does not exist:

3/20 | 5:11:44 PM | CREATE_FAILED        | AWS::ApiGateway::DomainName      | vendor_api/api_domain (vendorapiapidomain3C9A5F4E)
Invalid request provided: The provided certificate does not exist. (Service: ApiGateway, Status Code: 400, Request ID: XXX, Extended Request ID: null)
        new DomainName (...\node_modules\@aws-cdk\aws-apigateway\lib\domain-name.ts:111:22)

I’m using cdk version 1.67.0

Just to be clear, the domain I’m adding will be a brand new subdomain. I don’t need to do any additional setup anywhere else do I? My understanding is that the addDomainName call will set all that stuff up for me (i.e. messing with Route53 and such), is that correct?

Here is the relevant output from cdk synth.

vendorapiCustomDomainB787F7E3:
    Type: AWS::ApiGateway::DomainName
    Properties:
      DomainName: vendor.test.XXX
      EndpointConfiguration:
        Types:
          - REGIONAL
      RegionalCertificateArn: arn:aws:acm:ap-southeast-2:XXX
    Metadata:
      aws:cdk:path: DeployStack/vendor_api/CustomDomain/Resource

Let me know if you need any more information.

1reaction

nija-atcommented, Nov 21, 2019

It looks like we’ve fixed this issue. Closing now; re-open if your issue was not addressed.

Top Results From Across the Web

aws-cdk/aws-certificatemanager module - AWS Documentation

AWS Certificate Manager can create private certificates issued by Private Certificate Authority (PCA). Validation of private certificates is not necessary.

How to import custom cerficate using AWS CDK - Stack Overflow

Currently, you can achieve that by import the certificate to ACM, And later import the certificate using the certificate ARN.

@aws-cdk/aws-certificatemanager - npm

ACM wildcard certificates can protect an unlimited number of subdomains. This package provides Constructs for provisioning and referencing ACM ...

awscertificatemanager - Go Packages

AWS Certificate Manager (ACM) handles the complexity of creating, storing, ... Returns true if the construct was created by CDK, and false otherwise....

@aws-cdk/aws-certificatemanager | Yarn - Package Manager

ACM certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these. ACM wildcard certificates can ...