Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Docs should warn about ACM yearly certificate limit

See original GitHub issue

I do have fully automated pipelines that provision app stack including all required resources. The stack fails to deploy after a few destroy/deploy iterations:

Error: you have reached your limit of 20 certificates in the last year.

The failure is caused by

import * as acm from '@aws-cdk/aws-certificatemanager'

const cert = new acm.DnsValidatedCertificate(this, 'Cert', { domainName, hostedZone })

The error appears despite a fact that I don’t have any certificates on my account. It seems that AWS CDK consumes Certificate Request limit which is not decreased when stack is released. You can only resolve this by requesting increase of the limit via support centre. However, the hard quota limit is 1000 per account.

This implies that automation of certificates provision is not really an option for teams who does few deployments per days.

It would be extremely helpful to

  • mention in the documentation of the package about limits
  • advices how to overcome such limitations
  • best practice of automated certificate provision


  • CLI Version : 1.21.1
  • Framework Version:
  • OS : MacOS
  • Language : TypeScript

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:23
  • Comments:35 (7 by maintainers)

github_iconTop GitHub Comments

AlexandreDeRiemaeckercommented, Mar 16, 2020

I have the same issue as described by @fogfish . Using DnsValidatedCertificate and happily destroying and rebuilding environments in our DEV account - which is new and hasn’t been used for anything else yet.

So yeah, after 20 times of deleting and creating new certificates, I bumped into the same error. My service quota is set to the default value - 2000.

The issue on AWS’s side here - either an undocumented, invisible limit or the service-quota isn’t respected I filed a support request. Unfortunately, the DEV account is on basic support plan. it might never be addressed.

I’m not keen on reproducing this on a PROD account with a premium support plan just for the sake of filing in a request with some support SLA.

It’s sad because the POC for our CI/CD strategy with CDK worked well so far - we effortlessly spin up a new dedicated environment when PRs are opened and destroy them again when PR is merged.

AlexandreDeRiemaeckercommented, Mar 18, 2020

Thanks, nice article @fogfish .

In the meantime, AWS support fixed my issue by setting the quota to 2000 (which actually should be the default). The assumption that the default quota of 2000 is not used was true.

Under the lines, I got the following response: “[…] However please be noted that new AWS accounts may start with a quota lower than the default value[…]”.

I gave the feedback that I’m not necessarily against newer account having further limitations, but then it should be visibile in the service quota console, at least. Also, it would be even better if the restriction is lifted when the account joins an older AWS organization (it’s been a decade!).

Thanks for the nice article @fogfish . We’ll probably use a wildcard certificate once we come near the limit of 2000. Because our AWS accounts are per team and environment, I’d say that staying under 2000 cert requests per year is doable. We build up a temporary environment when PRs are opened, and destroy it when it’s merged. I guess It would take a lot to reach 2000 PRs in a year.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Quotas - AWS Certificate Manager
General quotas ; Number of ACM certificates per year (last 365 days). You can request up to twice your quota of ACM certificates...
Read more >
Quotas - Amazon Certificate Manager - 亚马逊云科技
You can request up to twice your quota of ACM certificates per year, region, and account. For example, if your quota is 2,500,...
Read more >
FAQs | NSF Cash Management
Remember the ACM$ database is only permanently updated upon certification and submission of a payment transaction to NSF. Please also note that banking...
Read more >
Will You Trust This TLS Certificate?: Perceptions of People ...
Additional Key Words and Phrases: Warning design, documentation, TLS certificate, usable security. ACM Reference format: Martin Ukrop, Lydia Kraus, ...
Read more >
Terms, Conditions, Certification Agreement & Rules - ACM Cert
ACM shall abide by these requirements as specified in ISO 17021 and other related documents and standards. The scope of accreditation can be...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found