Import cert into AWS ACM: ValidationException when calling the ImportCertificate operation: The certificate field contains more than one certificate

amazon-acmimportopensslssl-certificate

I'm trying to import some ssl certificates in PEM format into AWS ACM via aws cli. The certificates come from an nginx installation, when trying to import them with the following command:

aws acm import-certificate --certificate ssl.website.com.crt --private-key ssl.website.com.key --region us-east-2 --profile default

I get this error:

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

I'm no expert with openssl, but AFAICS there's only one certificate on the pem file, there's only one BEGIN/END CERTIFICATE section. I found this command on this stackoverflow post to print the certificates on a pem file, and I only see one certificate in its output:

openssl crl2pkcs7 -nocrl -certfile ssl.website.com.crt | openssl pkcs7 -print_certs -noout
subject=OU = Domain Control Validated, CN = website.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

So why is ACM rejecting this certificate ? or I'm I (very probably) doing my checks in the wrong way and there's indeed a second certificate inside that pem file ?

Best Answer

Solved it, you must prefix the value of all parameters with 'file://', like this:

aws acm import-certificate --certificate file://ssl.website.com.crt --private-key file://ssl.website.com.key --certificate-chain file://ssl.website.com.ca --region us-east-2 --profile default

I was following this documentation which does not mention this.

Related Solutions

Java – Fixing CertificateException in Domino 9 When Accessing HTTPS URL

So for Domino 9, as the new feature OpenSocial was added, a lot of functionality was changed around certificates to make it easier to maintain.

As such there is a new API "com.ibm.domino.napi.ssl.DominoX509TrustManager". What this API does is now check the Domino certificates for the related trusted certificate which is also cross certified against the server certificate.

It checks first in the CACERTS. If it can't find this, then it will check the Domino certificates.

So in order to get the code above to work you need to do the following.

Open the Domino Administrator client and select the ""People and Groups -> Certificates".
In the actions menu select "Import Internet Certificates".
Select the related certificate file to import using the file dialog. It may ask you for the file structure when importing, so select the correct structure if needed. It should appear in the view once completed.
Open the document and from the actions menu select "Create Cross Certificate".
A dialog pops up. You select the certificate and click OK.
Next dialog make sure you have it set correctly for your server. ie. The right server and certifier. Click Cross Certify when done.

This should create a cross certificate in the view:

view showing cross certificate

At this point you need to restart the HTTP process with the following commands.

tell http quit 
load http

Centos – Unable to use builtin CA bundle to verify GoDaddy SHA2 SSL certificate

It appears that the web server at https://facts.dohrn.com/ does not include the intermediate certificate.

This would appear to be a configuration mistake on their part. It is definitely something that can be expected to cause compatibility issues as you are really only supposed to rely on clients having the root certificates in place beforehand.

See the certificate chain, eg from the SSLLabs result: (You'll also note that there are many other issues with their SSL setup.)

1   Sent by server  facts.dohrn.com 
Fingerprint: 823e3a70f194c646498b2591069b3727ad0014d9 
RSA 2048 bits (e 65537) / SHA256withRSA

2   Extra download  Go Daddy Secure Certificate Authority - G2 
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8 
RSA 2048 bits (e 65537) / SHA256withRSA

3   In trust store  Go Daddy Root Certificate Authority - G2   Self-signed  
Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b 
RSA 2048 bits (e 65537) / SHA256withRSA

I would say that your main options are to either try to convince the service provider to fix their service or work around the problem on your end by providing the client with the certificates that their server was expected to provide.

Best Answer

Related Solutions

Java – Fixing CertificateException in Domino 9 When Accessing HTTPS URL

Centos – Unable to use builtin CA bundle to verify GoDaddy SHA2 SSL certificate

Related Topic