Handling exceptions
An Amazon Certificate Manager command might fail for several reasons. For information about each exception, see the table below.
Private certificate exception handling
The following exceptions can occur when you attempt to renew a private PKI certificate issued by Amazon Private CA.
Note
Amazon Private CA is not supported in the China (Beijing) Region and the China (Ningxia) Region.
ACM failure code |
Comment |
---|---|
|
The private CA has not granted ACM permissions. This triggers a
Amazon Private CA To remedy the problem, grant the necessary permissions to the ACM service principal using the Amazon Private CA CreatePermission operation. |
|
The validity period of the requested certificate exceeds the validity period
of the issuing private CA. This triggers a Amazon Private CA
To remedy the problem, install a new CA certificate with an appropriate validity period. |
|
The private CA being called is not in the correct state to perform the
requested ACM operation. This triggers a Amazon Private CA
Resolve the issue as follows:
|
|
The private CA has reached an issuance quota. This triggers a Amazon Private CA
If the error persists, contact Amazon Web Services Support |
|
A network or system error occurred. This triggers a Amazon Private CA
If the error persists, contact Amazon Web Services Support |
|
The private CA has been permanently deleted. This triggers a Amazon Private CA
To remedy the problem, create a new CA. |
SLR_NOT_FOUND |
In order to renew a certificate signed by a private CA that resides in another account, ACM requires a Service Linked Role (SLR) on the account where the certificate resides. If you need to recreate a deleted SLR, see Creating the SLR for ACM. |