AWS ELB SSL Setup Error: “Server Certificate Not Found” When Adding HTTPS Listener


3 views

When configuring HTTPS on AWS Elastic Load Balancer (ELB), many developers encounter the cryptic error: Server Certificate not found for the key: arn:aws:iam::************:server-certificate/mycert. This typically occurs when attempting to add an SSL listener to your load balancer using a certificate from commercial CAs like GoDaddy or DigiCert.

AWS requires SSL certificates to be uploaded to IAM before they can be associated with load balancers. This is because ELB needs to verify ownership and permissions through IAM roles. The process differs from other AWS services like CloudFront that use ACM certificates.

# Upload certificate via AWS CLI (required step)
aws iam upload-server-certificate \
  --server-certificate-name mycert \
  --certificate-body file://public_key.crt \
  --private-key file://private.key \
  --certificate-chain file://chain.pem

Several factors can cause the "certificate not found" error:

  • Region mismatch between certificate upload and ELB
  • Incorrect IAM permissions for the uploading user
  • Certificate chain formatting issues
  • DNS validation not properly completed

After successful upload, if HTTPS connections timeout:

  1. Verify security group rules allow inbound 443 traffic
  2. Check route tables for proper internet gateway attachment
  3. Confirm the certificate ARN matches exactly in listener config

Here's a full workflow that addresses both the upload and configuration issues:

# 1. Combine certificate files properly
cat domain.crt intermediate.crt root.crt > combined.crt

# 2. Upload with all required components
aws iam upload-server-certificate \
  --path /cloudfront/ \
  --server-certificate-name prod-cert \
  --certificate-body file://combined.crt \
  --private-key file://private.key

# 3. Verify upload
aws iam get-server-certificate \
  --server-certificate-name prod-cert

# 4. Configure ELB listener
aws elb create-load-balancer-listeners \
  --load-balancer-name my-lb \
  --listeners "Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/prod-cert"

When renewing certificates:

  • Always upload the new certificate with a distinct name first
  • Test with a dummy listener before swapping production traffic
  • Use version suffixes (e.g., cert-v2) for easier rollback
  • Monitor ACM expiration alerts through CloudWatch

For the OpenSSL connection error shown in the question:

# More detailed SSL check
openssl s_client -connect example.com:443 -servername example.com -showcerts

This helps identify whether the issue is with certificate installation or intermediate chain configuration.

When configuring SSL on AWS Elastic Load Balancer (ELB), you might encounter this puzzling scenario where the console claims your certificate doesn't exist despite verifying its presence in IAM. This typically happens because:

  • Classic Load Balancers require certificates to be uploaded via IAM, not ACM
  • There's an IAM permissions issue preventing the ELB service from accessing your certificate
  • The certificate ARN contains a typo or incorrect account number
# First verify the certificate exists
aws iam list-server-certificates

# Check the exact ARN format needed
aws elb describe-load-balancers --load-balancer-name your-lb-name

# Sample CLI command to upload certificate correctly
aws iam upload-server-certificate \
  --server-certificate-name mycert \
  --certificate-body file://public_key.pem \
  --private-key file://private_key.pem \
  --certificate-chain file://chain.pem

After successfully attaching the certificate, if HTTPS connections still fail:

  1. Check security group rules allow inbound 443
  2. Verify DNS records point to the ELB
  3. Test with openssl to inspect the certificate handshake
# Advanced certificate verification
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com \
  -showcerts < /dev/null 2>/dev/null | openssl x509 -noout -text
Error Solution
Certificate not in correct region Upload to same region as your ELB
Missing certificate chain Include intermediate certificates
Permission issues Add IAM policy for elb:DescribeLoadBalancers

For new implementations, consider:

  • Using Application Load Balancers (ALB) instead of Classic ELB
  • Leveraging AWS Certificate Manager (ACM) for automatic renewal
  • Implementing TLS 1.2 security policies
# Example ALB listener rule with ACM
aws elbv2 create-listener \
  --load-balancer-arn your-alb-arn \
  --protocol HTTPS \
  --port 443 \
  --certificates CertificateArn=your-acm-cert-arn \
  --ssl-policy ELBSecurityPolicy-TLS-1-2-2017-01 \
  --default-actions Type=forward,TargetGroupArn=your-target-group-arn