> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS ACM Certificates Not Valid

### More Info:

Ensure that all the requests made during SSL/TLS certificate issue or renewal process are validated. These requests are managed within your account by the Amazon Certificate Manager (ACM), an AWS service that lets you provision, deploy and maintain SSL/TLS certificates for use with other AWS resources such as ELB load balancers, CloudFront distributions or APIs via Amazon API Gateway.

### Risk Level

Medium

### Address

Security

### Compliance Standards

NIST

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console and open the API Gateway console at [https://console.aws.amazon.com/apigateway/](https://console.aws.amazon.com/apigateway/).

        2. In the navigation pane, choose 'APIs'.

        3. In the APIs pane, choose the API you want to check.

        4. In the API details pane, choose 'Custom Domain Names'. This will display a list of custom domain names associated with the API.

        5. For each custom domain name, check the 'ACM Certificate' column. If the certificate is not valid, it will be indicated here.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.

        2. Once the AWS CLI is set up, you can list all the API Gateways in your account using the following command:
           ```
           aws apigateway get-rest-apis --region your-region-name
           ```
           Replace 'your-region-name' with the name of your AWS region. This command will return a list of all the REST APIs in the specified region.

        3. For each API Gateway, you can get the details of the API Gateway's stages using the following command:
           ```
           aws apigateway get-stages --rest-api-id your-rest-api-id --region your-region-name
           ```
           Replace 'your-rest-api-id' with the ID of your REST API and 'your-region-name' with the name of your AWS region. This command will return a list of all the stages of the specified REST API.

        4. For each stage, check the 'clientCertificateId' field. If this field is empty or the certificate ID is not valid, then the ACM Certificate is not valid in the API Gateway. You can check the validity of the certificate ID using the following command:
           ```
           aws acm describe-certificate --certificate-arn your-certificate-arn --region your-region-name
           ```
           Replace 'your-certificate-arn' with the ARN of your certificate and 'your-region-name' with the name of your AWS region. This command will return the details of the specified certificate. If the 'Status' field is not 'ISSUED', then the certificate is not valid.
      </Accordion>

      <Accordion title="Using Python">
        1. Install and configure AWS SDK for Python (Boto3) on your local system. This will allow you to interact with AWS services using Python.

        ```python theme={null}
        pip install boto3
        aws configure
        ```

        2. Import the necessary modules and create a session using your AWS credentials.

        ```python theme={null}
        import boto3
        session = boto3.Session(
            aws_access_key_id='YOUR_ACCESS_KEY',
            aws_secret_access_key='YOUR_SECRET_KEY',
            region_name='YOUR_REGION'
        )
        ```

        3. Use the `get_rest_apis` method from the `apigateway` client to get a list of all the APIs in your account. Then, for each API, use the `get_domain_names` method to get a list of all the domain names associated with that API. For each domain name, check the `certificateUploadDate` attribute. If it is more than 13 months ago, the certificate is not valid.

        ```python theme={null}
        client = session.client('apigateway')
        apis = client.get_rest_apis()['items']
        for api in apis:
            domain_names = client.get_domain_names()['items']
            for domain_name in domain_names:
                if 'certificateUploadDate' in domain_name:
                    certificate_age = (datetime.datetime.now(datetime.timezone.utc) - domain_name['certificateUploadDate']).days
                    if certificate_age > 395:
                        print(f"API Gateway {api['name']} has an invalid certificate for domain {domain_name['domainName']}")
        ```

        4. This script will print out the names of all the APIs and their associated domain names that have invalid certificates. You can modify this script to suit your needs, for example by sending an email alert instead of printing to the console.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step-by-step instructions to remediate the AWS ACM Certificates Not Valid misconfiguration:

        1. Firstly, log in to your AWS Management Console and navigate to the AWS Certificate Manager (ACM) service.

        2. In the ACM dashboard, locate the certificate that is displaying the "Not Valid" status.

        3. Click on the certificate name to view the details of the certificate.

        4. In the certificate details page, check the "Status" field to see if it is showing "Pending Validation" or "Failed". If the status is "Pending Validation", then you need to complete the validation process. If the status is "Failed", then you need to identify the reason for the failure and take appropriate action to fix it.

        5. If the certificate is still in the "Pending Validation" status, click on the "Domain" field to view the validation options.

        6. Choose the appropriate validation method based on your domain registrar and follow the instructions provided by ACM to complete the validation process.

        7. Once the validation process is completed successfully, the certificate status will change to "Issued" and the certificate will become valid.

        8. If the certificate status is "Failed", check the "Reason" field to identify the reason for the failure.

        9. Based on the reason for the failure, take appropriate action to fix the issue. For example, if the failure reason is "DNS validation failed", then you need to ensure that the DNS records for your domain are correctly configured.

        10. After fixing the issue, click on the "Request Validation" button to initiate the validation process again.

        11. Once the validation process is completed successfully, the certificate status will change to "Issued" and the certificate will become valid.

        That's it! Following these steps should help you remediate the AWS ACM Certificates Not Valid misconfiguration.

        #
      </Accordion>

      <Accordion title="Using CLI">
        If you are facing an issue with AWS ACM certificates not being valid, you can follow the below steps to remediate it:

        1. Verify the certificate status by running the following command:
           ```
           aws acm describe-certificate --certificate-arn <certificate-arn>
           ```
           Replace `<certificate-arn>` with the ARN of the certificate you want to verify.

        2. Check the `Status` field in the output of the above command. If the status is `ISSUED`, then the certificate is valid. If the status is `PENDING_VALIDATION`, then the certificate is still being validated. If the status is `EXPIRED`, then the certificate has expired.

        3. If the certificate has expired, you can renew it by running the following command:
           ```
           aws acm renew-certificate --certificate-arn <certificate-arn>
           ```
           Replace `<certificate-arn>` with the ARN of the certificate you want to renew.

        4. If the certificate is still being validated, you can check the validation status by running the following command:
           ```
           aws acm describe-certificate --certificate-arn <certificate-arn> --certificate-statuses PENDING_VALIDATION
           ```
           Replace `<certificate-arn>` with the ARN of the certificate you want to check.

        5. If the validation is successful, the status will change to `ISSUED`. If the validation fails, you can check the validation error by running the following command:
           ```
           aws acm describe-certificate --certificate-arn <certificate-arn> --certificate-statuses FAILED
           ```
           Replace `<certificate-arn>` with the ARN of the certificate you want to check.

        6. Resolve the validation error and repeat the validation process.

        7. Once the certificate is valid, you can update your resources to use the new certificate.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the AWS ACM Certificates not valid misconfiguration using Python, you can use the `boto3` library to interact with the AWS ACM service. Here are the step-by-step instructions:

        1. Install the `boto3` library using the following command:

        ```
        pip install boto3
        ```

        2. Import the `boto3` library and create an ACM client object:

        ```python theme={null}
        import boto3

        acm_client = boto3.client('acm')
        ```

        3. List all the ACM certificates using the `list_certificates()` method:

        ```python theme={null}
        response = acm_client.list_certificates()
        ```

        4. Loop through the list of certificates and check if the certificate is valid using the `describe_certificate()` method:

        ```python theme={null}
        for certificate in response['CertificateSummaryList']:
            certificate_arn = certificate['CertificateArn']
            certificate_details = acm_client.describe_certificate(CertificateArn=certificate_arn)
            if certificate_details['Certificate']['Status'] != 'ISSUED':
                # Certificate is not valid
                # Remediation steps go here
        ```

        5. If a certificate is not valid, you can either renew it or delete it. To renew a certificate, use the `renew_certificate()` method:

        ```python theme={null}
        acm_client.renew_certificate(CertificateArn=certificate_arn)
        ```

        6. To delete a certificate, use the `delete_certificate()` method:

        ```python theme={null}
        acm_client.delete_certificate(CertificateArn=certificate_arn)
        ```

        7. Once you have remediated all the invalid certificates, you can verify that all certificates are valid by repeating step 3 and checking that all certificates have a status of `ISSUED`.

        Note: Before deleting a certificate, make sure that it is not being used by any resources in your AWS account.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html)
