Impossible to update the intermediate chain on an imported ACM certificate

[ghost]

This issue was originally opened by @zioalex as hashicorp/terraform#23869. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.12.19
+ provider.aws v2.41.0
+ provider.local v1.4.0
+ provider.null v2.1.2
+ provider.random v2.2.1
+ provider.template v2.1.2
...

Terraform Configuration Files

resource "aws_acm_certificate" "wildcard_users_service_domain" {
  count             = local.enable_users_service_lb
  private_key       = local.users_service_ssl_cert_key
  certificate_body  = local.users_service_ssl_cert
  certificate_chain = local.users_service_ssl_cert_chain

  lifecycle {
    create_before_destroy = true
  }
}
...

Debug Output

https://gist.github.com/zioalex/0b4c01ea1a4d6213fee1cff86ae50a46

Crash Output

Expected Behavior

I expect to have the certificate updated with the new cert chain or a new certificate with the update chain.

Actual Behavior

it fails with:

Error: Error updating certificate: ValidationException: The certificate field contains more than one certificate. You can specify only one certificate in this field.
	status code: 400, request id: ad0750e3-bce4-441b-b3ce-07dd8c48306e

  on ../modules/cluster/loadbalancer.tf line 210, in resource "aws_acm_certificate" "wildcard_users_service_domain":
 210: resource "aws_acm_certificate" "wildcard_users_service_domain" {

Steps to Reproduce

have a terraform.tfvars with:

users_service_ssl_file_cert = "sslcerts/wildcard.star.com.crt"
# users_service_ssl_file_cert_chain = "sslcerts/rapidssl_intermediate.crt"
users_service_ssl_file_cert_chain = "sslcerts/1.cer"

Then

terraform init
terraform apply

this works correctly and the cert is created.
Change the intermediate chain and re-apply and it will fail.

Additional Context

I tried to this with AWS console and I am able to re-import the same cert with a different chain.

References

[zioalex]

I verified that re-running the terraform apply for the second time it finish successfully but in reality it doesn't change the chain.

To get the chain updated I needed to update it through the AWS console.
The command used to check it is the follow:
openssl s_client -showcerts -partial_chain -connect ENDPOINT:443 < /dev/null |less

[bplunkert]

I also found that error when attempting to add a chain certificate and update the certificate body on an existing resource. I noticed that neither the certificate body nor the chain were updated, although the error went away for me on the second run as well.

I had to delete the existing ELB listeners and ACM certificate, then re-run terraform, to resolve the issue.

In the past, after enough re-runs it eventually goes through. This time, nothing.

I think the issue is at least partially on the AWS side because I see certificates in the ACM console, but none available when I attempt to add an HTTPS listener to an LB resource.

[bflad]

Hi folks 👋 The fix for this, saving the full attribute values in the Terraform state instead of hashed values, has been merged and will release with version 3.0.0 of the Terraform AWS Provider, likely in two weeks.

The version 3 upgrade guide will outline some details about a one-time terraform apply behavior that will occur after upgrade for the aws_acm_certificate resource:

Previously when the certificate_body, certificate_chain, and private_key arguments were stored in state, they were stored as a hash of the actual value. This prevented Terraform from properly updating the resource when necessary and the hashing has been removed. The Terraform AWS Provider will show an update to these arguments on the first apply after upgrading to version 3.0.0, which is fixing the Terraform state to remove the hash. Since the private_key attribute is marked as sensitive, the values in the update will not be visible in the Terraform output. If the non-hashed values have not changed, then no update is occurring other than the Terraform state update. If these arguments are the only updates and they all match the hash removal, the apply will occur without submitting API calls.

If you have trouble after upgrading to version 3.0.0 of the Terraform AWS Provider, please create a new issue and we will take a look. Thanks so much and apologies for the frustrating behavior in the meantime.

[ghost]

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!