You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 9, 2022. It is now read-only.
I'm trying to make a Custom Domain Name, using a certificate I just uploaded to IAM, but CloudFormation gives an error when trying to create it.
Failed to create resource. BadRequestException: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4). See the details in CloudWatch Log Stream: 2016/07/18/[$LATEST]b115a9ff77954bba9d8b3f64cc6af1f6
I think there is some problem with the decoding/ re-encoding of the certificate chain, because it comes out looking deformed in the log messages from the lambda:
2016-07-18T11:24:27.301Z 2f501ec2-4cda-11e6-8a70-7f05c0d1cebb Error ApiDomainNameService::createDomainName { error: { [BadRequestException: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4)] message: 'Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4)', code: 'BadRequestException', time: Mon Jul 18 2016 11:24:27 GMT+0000 (UTC), requestId: '2fadceac-4cda-11e6-b3b8-8d2831983c32', statusCode: 400, retryable: false, retryDelay: 30.29568309430033 }, params: { certificateBody: '-----BEGIN CERTIFICATE-----\nMIIEuTCCA6GgAwIBAgIDBdeTMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy\nNTYgQ0EgLSBHMzAeFw0xNTA3MjExOTIyMDBaFw0xNzA3MjIyMTUzMTBaMIGWMRMw\nEQYDVQQLEwpHVDk0NzM3MDU4MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv\nbS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW\nYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEbMBkGA1UEAwwSKi5ib3VnaHRieW1hbnku\nY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0KaZSOt5K68kxlBV\ny1rGIDquSzthfhfchXIYd46mOkkwLUpQfY9DmCxrCgN4HxsA+1fRuXyfzk8yMt/M\nVTZxU3RPlsuZGJFKOcixg/UJGly4vIUFO3ZGOlAYt4PEMKX51mY8oIYNVt1lM7SZ\nNJOLzR4fiE7yGPIP01tdnINeambG3cGZ9MNl8EDhSOfYrb4tOkk6cfgvtukj1Ulg\n6/UZW9bhsLJtR3lHW7uSFptyA2elWiFm++QFEvykSXcrMCpdr3vnajYnJP6STSRi\nOW7NHI7gLy65sXUKq5/XFtAbt/MG9Wx6PbV2XalVq+D3Fzs7Mfia8jEmDgp7bNJh\n6zpxiQIDAQABo4IBXDCCAVgwHwYDVR0jBBgwFoAUw5zz/NNGCDS7zkZ/oHxb8+II\ny1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ3Yuc3ltY2Qu\nY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNydDAOBgNV\nHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMC8GA1Ud\nEQQoMCaCEiouYm91Z2h0YnltYW55LmNvbYIQYm91Z2h0YnltYW55LmNvbTArBgNV\nHR8EJDAiMCCgHqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMB\nAf8EAjAAMEEGA1UdIAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYBBQUHAgEWHmh0dHBz\nOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAqILS\nQtHPxPy+mNj6IxFR9jdzCm02accWttq6JfbIEu/7HajpYSpxkMKYm7WQqqy/xGhP\nWNS9qhfbGu7VIn+E5QNi1GQpKcBp/LsC2c5u9y+DmaHtAr605ffo1/PaRHVl5he/\n7R1Zwto8p5t51TMN4fDWIpPdia+wJi+2sbDId1JWROwE0b6yTPie6egWHXqc6VOg\n2CQxpM9C2hmWudVz2VI/xJ6K9Zj6lJmxqm8tHuL6qi9IuZr3IHRo0fY1Q81DrPhU\nOBLi6672ePN/sj7tP358IKO4a9Fxuqu3N7M258BnB9RCgvgN5RaFYV6VtcRskplO\nf45inEEGdgzuc4najw==\n-----END CERTIFICATE-----', certificateChain: '-----BEGIN CERTIFICATE-----\nMIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\nYWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG\nEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg\nU0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv\nVJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp\nSowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS\n1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ\nDAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM\nQriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp\nYEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7\nqwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD\nVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig\nJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF\nBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF\nMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry\ndXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs\nrC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp\nfO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B\nkvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH\nuLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O\nZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh\ngP8L8mJMcCaY\n\n-----BEGIN\nCERTIFICATE-----\nMIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\nYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG\nEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg\nR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9\n9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq\nfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv\niS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU\n1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+\nbw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW\nMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA\nephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l\nuMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn\nZ57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS\ntQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF\nPseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un\nhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV\n5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==\n-----END\nCERTIFICATE-----\n-----END CERTIFICATE-----', certificateName: 'dev-api2.boughtbymany.com', certificatePrivateKey: '***masked***', domainName: 'dev-api2.boughtbymany.com' } }
There seem to be some extra newlines in the second certificate in the certificate chain and/or the first certificate in the chain seems to have ended up inside the second one.
The first '-----BEGIN CERTIFICATE-----has no newlines in it, but the second does-----BEGIN\nCERTIFICATE-----`
The 2 end certificates are next to each other at the end -----END\nCERTIFICATE-----\n-----END CERTIFICATE-----
I've localised the issue to util/certificate-parser. It only replaces the first instances of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, instead of all of them
Hi,
I'm trying to make a Custom Domain Name, using a certificate I just uploaded to IAM, but CloudFormation gives an error when trying to create it.
I think there is some problem with the decoding/ re-encoding of the certificate chain, because it comes out looking deformed in the log messages from the lambda:
There seem to be some extra newlines in the second certificate in the certificate chain and/or the first certificate in the chain seems to have ended up inside the second one.
has no newlines in it, but the second does
-----BEGIN\nCERTIFICATE-----`-----END\nCERTIFICATE-----\n-----END CERTIFICATE-----
@carlnordenfelt Can you help?
The text was updated successfully, but these errors were encountered: