Calvin's Blog

How the AWS console lied to me and made me think I was crazy

∙ short∙ aws∙ acm∙ acm-pca
article meme

Introduction

I am working on a project where I am building some certificate infrastructure in AWS for a variety of clients including clients that do not directly integrate with ACM. I am leveraging ACM-PCA for a private Certificate Authority and having ACM in various accounts across an AWS organization access a central ACM-PCA. I am using terraform to provision infrastructure.

What Happened

I got all of my access control policies in place and cross account (organization sharing) of the ACM-PCA was working, but I was getting an error in the AWS console ACM interface when requesting a private certificate via the ACM RequestCertificate API. Registering the certificate in ACM was marked as failed and the tool tip when hovering over the red indicator read

The signing certificate for the CA you specified in the request has expired

Obviously confused I went and checked the expiration of the ACM-PCA CA certificate and it was one year in the future per my configuration in terraform. My signing certificate was not expired, and I was confused…

Long story short that error message was a LIE!

I enabled trace level logging in terraform by running:

export TF_LOG=trace

Then after trying to create an acm cert using the aws_acm_certificate resource in my terraform specifying the ACM-PCA ARN in the options to indicate it was a private certificate from that CA. In the logs I saw this failure code on the ACM DescribeCertificate API call terraform makes to get the details of the certificate after it was requested. The response contained the failure code PCA_INVALID_DURATION. According to the documentation this specifically means:

The validity period of the requested certificate exceeds the validity period of the issuing private CA. This triggers a AWS Private CA ValidationException failure code.

AH HA! This is exactly what the problem was… Turns out when a ACM-PCA in general purpose mode issued certificates have a default validity period of 1 year. The CA cert on my ACM-PCA also had a validity period of 1 year. Thus the error above.

I hope this saves someone out there some time… It took me longer than I would like to admit to figure this out…