Getting InvalidViewerCertificate error after AWS renewed my certificate

owboateng commented 3 years ago

Describe the bug

I am getting InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. when I try to update my deployment. I received an email from AWS this morning that the custom ACM certificate associated with my NextJs Cloudfront (with custom domain) has been renewed. After this I am not able to push any changes anymore.

Actual behavior

Expected behavior

I expect the renewed certificate to be used. I did not change anything. The certificate was just renewed.

Steps to reproduce

I do not know how this can be easily reproduced:

A serverless NexJS site with custom domain and custom certificate.
Renew certificate.
Try to deploy.

Screenshots/Code/Logs

.serverless/components/registry/npm/@sls-next/serverless-component@1.18.0/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'InvalidViewerCertificate',
  time: 2020-11-12T19:09:46.557Z,
  requestId: '79b8efb2-b14a-45bf-9c40-60499ce33430',
  statusCode: 400,
  retryable: false,
  retryDelay: 91.04803778510471
}

  81s › prod › InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.

Versions

OS/Environment: MacOS
@sls-next/serverless-component version: 1.18.0
Next.js version: 9.5.5

Additional context

The certificate exists and it is in the right region (us-east-1)

Checklist

[x] You have reviewed the README and FAQs, which answers several common questions.
[x] Please first try using the latest @sls-next/serverless-component release version, which may have already fixed your issue. Note that the old serverless-next.js component and the serverless-next.js plugin are deprecated and no longer maintained.

dphang commented 3 years ago

Please post your serverless.yml file and try running with serverless --debug to get more logs so we know where it is failing.

If you are using domain, it should dynamically try to find the certificate by domain name: https://github.com/serverless-nextjs/serverless-next.js/blob/0c912709da09ac95ffcdd46f60e922c4ef6b5fc2/packages/serverless-components/domain/serverless.js#L61-L68, unless you specified certificateArn as well. Though I believe the ARN doesn't change when AWS renews the certificate.

owboateng commented 3 years ago

Thanks for the response but I have been able to fix the issue by just manually invalidating the CloudFront cache before deployment.

I think this could be an improvement that can be automated into serverless-next.js by invalidating the CloudFront cache if an existing certificate becomes invalid and retry. This I believe will save developers a lot of time.

Thank you.

serverless-nextjs / serverless-next.js