Handling exceptions - AWS Certificate Manager (original) (raw)
Private certificate exception handling
An AWS Certificate Manager command might fail for several reasons. For information about each exception, see the table below.
Private certificate exception handling
The following exceptions can occur when you attempt to renew a private PKI certificate issued by AWS Private CA.
Note
AWS Private CA is not supported in the China (Beijing) Region and the China (Ningxia) Region.
| ACM failure code | Comment |
|---|---|
| PCA_ACCESS_DENIED | The private CA has not granted ACM permissions. This triggers a AWS Private CA AccessDeniedException failure code. To remedy the problem, grant the necessary permissions to the ACM service principal using the AWS Private CA CreatePermission operation. |
| PCA_INVALID_DURATION | The validity period of the requested certificate exceeds the validity period of the issuing private CA. This triggers a AWS Private CAValidationException failure code. To remedy the problem, install a new CA certificate with an appropriate validity period. |
| PCA_INVALID_STATE | The private CA being called is not in the correct state to perform the requested ACM operation. This triggers a AWS Private CAInvalidStateException failure code. Resolve the issue as follows: If the CA has the status CREATING, wait for creation to finish and then install the CA certificate. If the CA has status PENDING_CERTIFICATE, install the CA certificate. If the CA has status DISABLED, update it toACTIVE status. If the CA has status DELETED, restore it. If the CA has status EXPIRED, install a new certificate If the CA has status FAILED, and you cannot resolve the issue, contact Support. |
| PCA_LIMIT_EXCEEDED | The private CA has reached an issuance quota. This triggers a AWS Private CALimitExceededException failure code. Try repeating your request before proceeding with this help. If the error persists, contact Support to request a quota increase. |
| PCA_REQUEST_FAILED | A network or system error occurred. This triggers a AWS Private CARequestFailedException failure code. Try repeating your request before proceeding with this help. If the error persists, contact Support. |
| PCA_RESOURCE_NOT_FOUND | The private CA has been permanently deleted. This triggers a AWS Private CAResourceNotFoundException failure code. Verify that you used the correct ARN. If that fails, you won't be able to use this CA. To remedy the problem, create a new CA. |
| SLR_NOT_FOUND | In order to renew a certificate signed by a private CA that resides in another account, ACM requires a Service Linked Role (SLR) on the account where the certificate resides. If you need to recreate a deleted SLR, see Creating the SLR for ACM. |
Problems with the ACM service-linked role (SLR)
Quotas
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.