Fix Terraform Error - Error Creating ALB Listener - CertificateNotFound

Name: Ansible Automation Platform By Example
Author: Luca Berton

How to fix CertificateNotFound and SSL certificate errors when creating ALB/NLB listeners in Terraform. Validate ACM certificates and DNS.

Fix Terraform Error - Error Creating ALB Listener - CertificateNotFound

September 18, 2025
2 min read
Posted by Luca Berton
Terraform, Troubleshooting, DevOps, Error Fix, Infrastructure as Code

The Error

Error creating ALB Listener: CertificateNotFound: Certificate not found

What Causes This

The ACM certificate ARN referenced in the ALB listener doesn’t exist, hasn’t been validated yet, or is in a different region. ALB certificates must be in the same region as the load balancer (CloudFront requires us-east-1).

How to Fix It

Solution 1: Verify Certificate Exists and Is Validated

# List certificates
aws acm list-certificates --region us-east-1

# Check certificate status
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxx \
  --query 'Certificate.[Status,DomainName]'

# Status must be ISSUED, not PENDING_VALIDATION

Solution 2: Create and Validate Certificate

resource "aws_acm_certificate" "main" {
  domain_name               = "example.com"
  subject_alternative_names = ["*.example.com"]
  validation_method         = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  zone_id = aws_route53_zone.main.zone_id
  name    = each.value.name
  type    = each.value.type
  records = [each.value.record]
  ttl     = 60
}

resource "aws_acm_certificate_validation" "main" {
  certificate_arn         = aws_acm_certificate.main.arn
  validation_record_fqdns = [for r in aws_route53_record.cert_validation : r.fqdn]
}

# ALB listener depends on validated certificate
resource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.main.arn
  port              = 443
  protocol          = "HTTPS"
  certificate_arn   = aws_acm_certificate_validation.main.certificate_arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.main.arn
  }
}

Solution 3: Region Mismatch

# ALB cert must be in same region as ALB
# CloudFront cert must be in us-east-1

provider "aws" {
  alias  = "us_east_1"
  region = "us-east-1"
}

resource "aws_acm_certificate" "cloudfront_cert" {
  provider    = aws.us_east_1  # CloudFront requires us-east-1
  domain_name = "example.com"
  validation_method = "DNS"
}

Prevention Tips

Pin provider versions — avoid surprise breaking changes
Use CI/CD — catch errors before they hit production
Test with terraform plan — always review before applying
Keep Terraform updated — newer versions have better error messages
Use terraform validate — catches syntax errors early

Hands-On Courses

Learn to avoid these errors with interactive, project-based courses:

Terraform for Beginners on CopyPasteLearn
Terraform By Example — practical code examples
Terraform Cheat Sheet — quick reference for all commands

Conclusion

This error is common and fixable. Follow the solutions above, and check our Terraform course for hands-on training that covers real-world troubleshooting scenarios.