I'm am trying to set up SSL on my load balancer with a certificate I purchased from GoDaddy.
When trying to upload the certificate in the console I got an error
Failed to create load balancer: Server Certificate not found for the key: arn:aws:iam::************:server-certificate/mycert
I've never encountered this error before when adding SSL certificates. I'm not sure why iam is even used here.
After some Googling, I was able to upload my certificate to iam using aws cli (again, not sure why I had to do this).
Now when modifying the listeners I can see my uploaded certificate as an existing SSL certificate. When I try to save the my changes to the load balancer however, I get the same error. I have verified that the certificate exists:
$ aws iam list-server-certificates
{
"ServerCertificateMetadataList": [
{
"ServerCertificateId": "*********************",
"ServerCertificateName": "mycert",
"Expiration": "2018-11-19T18:47:38Z",
"Path": "/",
"Arn": "arn:aws:iam::************:server-certificate/mycert",
"UploadDate": "2015-11-19T19:23:32Z"
}
]
}
(I have verified the obfuscated account number here is the same as in the error)
From here I am stuck. Why am I not able to apply my certificate to this load balancer?
Edit Thu Nov 19 11:47:18 PST 2015
After waiting for a while and logging out and in, I was able to update the listeners with my SSL certificate. However, it doesn't seem to be working correctly. When trying to load my domain over HTTPS the request times out. It seems it unable to load the certificate
$ echo | openssl s_client -connect www.example.com:443 2>/dev/null | openssl x509 -noout -subject
unable to load certificate
69457:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE
I faced the same problem when trying to create the ELB from the web console. I was trying to create a upload a new certificate there via GUI and it was finally failing with same error. I solved it by uploading the certificate files separately via aws cli. It is explained in this doc - http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html#upload-cert
Upload the certificate, private key and certificate chain like this
And then go to the web console and choose the option "Choose an existing certificate from AWS Identity and Access Management (IAM)" and choose the certificate pair that was just uploaded. It will work fine after that.
The error is misleading. It does upload the cert. Once you receive that error exit then go back to change. Choose existing IAM certificate and click on the drop down -- you should see the new cert there.
I had the same issue but thankfully managed to resolve it without having to hit the CLI. I got the ELB to add a HTTPS listener by pasting the certificate chain in the public key certificate field, after the certificate itself.
The error only manifested when the certificate chain was pasted in to its own certificate chain input box in the console (marked optional). Not really sure why this made a difference but it created the HTTPS listener on the ELB and all was good.
It was due to special character in Certificate Name: .(dot) in my case. Everything worked fine after remove all dots from certificate name
I just hit this, too. Tried five times to create a new ELB and it failed every time. Never tried to API variant, but I managed to set the SSL certificate by
I faced the same problem. In my case I got the error "Server Certificate not found for the key" when uploading an SSL certificate but they eventually get uploaded and show up in the drop-down. I don't get any errors when uploading via CLI. When I contacted AWS support they gave me the below reason for the error
I got around this by going to the certificate manager in the aws console and uploading there first. Then using the load balancer wizard and selecting the certificate I'd uploaded.
Same problem here when using the AWS web interface: I uploaded a valid certificate, correct key and the complete chain but got the above mentioned error.
I tried to uploade the certificate to another (test)-load balancer. The upload worked, but the listener status then says: "Invalid-Certificate".
When I opened the "Select certificate" dialogue again, no certificate was selected. But obviously the certificate was uploaded correctly, because I could select it in the certificat list.
So, back to my original load balancer, I tried to assign this uploaded certificate, strange thing now: it wasn't in the list. I gave it a new try and uploaded the certificate and its key but left out the certificate chain. This worked, so i knew it must be the chain, that is not correct (it's a commodo-cert). I downloaded the chain again from the official page, uploaded the whole bundle and it worked. Strange thing now: When I compared both of them - the corrupt and the new downloaded one, they seem the same. Same dates, same serial, same same. But different.
Long story short: It worked by downloading the intermediate certificates again.
I had this same issue and what eventually fixed it was going into the Security Group for the load balancer and making sure that port 443 was opened up.
Before create the Classic load balancer you need create a AMI (Image of your instance in production) With this go to the settings of creation of load balancer and do the process again and after this the certificates provided and all goings well in my case.