4

I'm trying to import some ssl certificates in PEM format into AWS ACM via aws cli. The certificates come from an nginx installation, when trying to import them with the following command:

aws acm import-certificate --certificate ssl.website.com.crt --private-key ssl.website.com.key --region us-east-2 --profile default

I get this error:

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

I'm no expert with openssl, but AFAICS there's only one certificate on the pem file, there's only one BEGIN/END CERTIFICATE section. I found this command on this stackoverflow post to print the certificates on a pem file, and I only see one certificate in its output:

openssl crl2pkcs7 -nocrl -certfile ssl.website.com.crt | openssl pkcs7 -print_certs -noout subject=OU = Domain Control Validated, CN = website.com issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

So why is ACM rejecting this certificate ? or I'm I (very probably) doing my checks in the wrong way and there's indeed a second certificate inside that pem file ?

Improve this question
1
  • I think the certificates are ok as I could import them into ACM through the aws console using the same files I'm uysing using in the aws cli, sounds like a bug ? Commented Jan 7, 2020 at 16:48

5 Answers 5

Reset to default
2

Solved it, you must prefix the value of all parameters with 'file://', like this:

aws acm import-certificate --certificate file://ssl.website.com.crt --private-key file://ssl.website.com.key --certificate-chain file://ssl.website.com.ca --region us-east-2 --profile default

I was following this documentation which does not mention this.

Improve this answer
1
  • That's untrue. The documentation specifically says that the files must be prefixed by fileb://, not file:// Commented Nov 25, 2021 at 9:55
1

The documentation says that. May be you missed it.

When you import a certificate by using the CLI, you must specify the certificate, the certificate chain, and the private key by their file names preceded by fileb://. For example, you can specify a certificate saved in the C:\temp folder as fileb://C:\temp\certificate_to_import.pem. If you are making an HTTP or HTTPS Query request, include these arguments as BLOBs.

Screenshot showing the documentation about the certificate path

Improve this answer
1
  • i think you have a typo in the filepath as usually file:// will be used ;) Commented Jul 20, 2021 at 14:14
0

In my case the certificate file contained multiple -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections - I needed to use the first one and the following ones were the certificate chain.

Improve this answer
2
  • 1
    Please provide additional details in your answer. As it's currently written, it's hard to understand your solution. Commented Sep 2, 2021 at 5:40
  • This is an obvious solution (because this is exactly what the error message says), but unfortunately in some cases, people have the error message with a perfectly valid certificate file. When you have multiple blocks, your file is not a certificate, but a bundle (and thus incorrect) Commented Nov 25, 2021 at 9:57
0

I had the same issue, and finally got the solution.

This is a bug in AWS CLI because the certificate is valid. However, in my case, the cert file had an extra space at the end of each line (I don't know why our certificate authority - Sectigo in that case - generated such weird certificates by the way). Removing these extra space did fix the issue.

This is as easy as :

$ perl -i -pe 's/ $//gm' certificate_file.crt
Improve this answer
0

I had this error in the AWS console, the problem was an extra space at the end of the first line (after -----BEGIN CERTIFICATE-----)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.