3

I'm trying to import some ssl certificates in PEM format into AWS ACM via aws cli. The certificates come from an nginx installation, when trying to import them with the following command:

aws acm import-certificate --certificate ssl.website.com.crt --private-key ssl.website.com.key --region us-east-2 --profile default

I get this error:

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

I'm no expert with openssl, but AFAICS there's only one certificate on the pem file, there's only one BEGIN/END CERTIFICATE section. I found this command on this stackoverflow post to print the certificates on a pem file, and I only see one certificate in its output:

openssl crl2pkcs7 -nocrl -certfile ssl.website.com.crt | openssl pkcs7 -print_certs -noout
subject=OU = Domain Control Validated, CN = website.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

So why is ACM rejecting this certificate ? or I'm I (very probably) doing my checks in the wrong way and there's indeed a second certificate inside that pem file ?

Juancho
  • 176
  • 1
  • 8
  • I think the certificates are ok as I could import them into ACM through the aws console using the same files I'm uysing using in the aws cli, sounds like a bug ? – Juancho Jan 07 '20 at 16:48

4 Answers4

1

Solved it, you must prefix the value of all parameters with 'file://', like this:

aws acm import-certificate --certificate file://ssl.website.com.crt --private-key file://ssl.website.com.key --certificate-chain file://ssl.website.com.ca --region us-east-2 --profile default

I was following this documentation which does not mention this.

Juancho
  • 176
  • 1
  • 8
  • That's untrue. The documentation specifically says that the files must be prefixed by `fileb://`, not `file://` – Orabîg Nov 25 '21 at 09:55
0

In my case the certificate file contained multiple -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections - I needed to use the first one and the following ones were the certificate chain.

tschumann
  • 109
  • 2
  • 1
    Please provide additional details in your answer. As it's currently written, it's hard to understand your solution. – Community Sep 02 '21 at 05:40
  • This is an obvious solution (because this is exactly what the error message says), but unfortunately in some cases, people have the error message with a perfectly valid certificate file. When you have multiple blocks, your file is not a certificate, but a bundle (and thus incorrect) – Orabîg Nov 25 '21 at 09:57
0

I had the same issue, and finally got the solution.

This is a bug in AWS CLI because the certificate is valid. However, in my case, the cert file had an extra space at the end of each line (I don't know why our certificate authority - Sectigo in that case - generated such weird certificates by the way). Removing these extra space did fix the issue.

This is as easy as :

$ perl -i -pe 's/ $//gm' certificate_file.crt
Orabîg
  • 180
  • 2
  • 10
-1

The documentation says that. May be you missed it.

When you import a certificate by using the CLI, you must specify the certificate, the certificate chain, and the private key by their file names preceded by fileb:// . For example, you can specify a certificate saved in the C:\temp folder as fileb://C:\temp\certificate_to_import.pem . If you are making an HTTP or HTTPS Query request, include these arguments as BLOBs.

Screenshot showing the documentation about the certificate path