ACM certificate error InvalidViewerCertificate

[rush86999]

Description

After switching to another account and a new set of account credentials. I am getting this error for a subdomain I m trying to deploy.

1. i have successfully switched the domain to another account. There is new DNS records for the domain. I have also issued new certificates from acm for this domain transfer in the new account.

2. everything else works fine but i am unable to deploy with this new account..

I am getting the error:

InvalidViewerCertificate: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

I have created two certificates with domain.com and *.domain.com; also i created another subdomain.domain.com to match the subdomain of the serverless component but did not work. Getting the same error.

Additional Data

E.g. stack trace, version, operating system, ...

  error:
  InvalidViewerCertificate: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements
    at Request.extractError (.../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/protocol/rest_xml.js:53:29)
    at Request.callListeners (.../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (.../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (.../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at ../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (.../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (.../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (.../.serverless/components/registry/npm/@serverless/website@4.0.0/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  message: "The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements",
  code: 'InvalidViewerCertificate',
  time: 2020-03-25T16:04:21.273Z,
  requestId: 'b723444e-1d5d-4a3f-9bf4-44d6138ad07b',
  statusCode: 400,
  retryable: false,
  retryDelay: 68.10053052485159
}

[cyberwombat]

Same error as well

[cyberwombat]

@rush86999 I fixed it for myself. Here's the process of my attempts:I had a primary domain cert which yielded error. Then I created a wildcard one that also accepted naked domain. Still error. Then I ensured that my current CF distribution for my naked domain and my www were using wildcard cert. Still error. Then I deleted the original cert and it worked. So the summary is it appears that sls is finding the first cert that matches the naked domain and doesn't look for any other ones. Try editing your wildcard one to also accept naked and delete the non wildcard cert.

TL;DR - you can only have one cert for a domain.