TerraformPilot

DevOps

Fix Terraform Error - Error Creating ALB Listener - CertificateNotFound

How to fix CertificateNotFound and SSL certificate errors when creating ALB/NLB listeners in Terraform. Validate ACM certificates and DNS.

LLuca Berton1 min read

The Error

# 
Error creating ALB Listener: CertificateNotFound: Certificate not found

What Causes This

#

The ACM certificate ARN referenced in the ALB listener doesn't exist, hasn't been validated yet, or is in a different region. ALB certificates must be in the same region as the load balancer (CloudFront requires us-east-1).

How to Fix It

#

Solution 1: Verify Certificate Exists and Is Validated

# 
# List certificates
aws acm list-certificates --region us-east-1
 
# Check certificate status
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxx \
  --query 'Certificate.[Status,DomainName]'
 
# Status must be ISSUED, not PENDING_VALIDATION

Solution 2: Create and Validate Certificate

# 
resource "aws_acm_certificate" "main" {
  domain_name               = "example.com"
  subject_alternative_names = ["*.example.com"]
  validation_method         = "DNS"
 
  lifecycle {
    create_before_destroy = true
  }
}
 
resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }
 
  zone_id = aws_route53_zone.main.zone_id
  name    = each.value.name
  type    = each.value.type
  records = [each.value.record]
  ttl     = 60
}
 
resource "aws_acm_certificate_validation" "main" {
  certificate_arn         = aws_acm_certificate.main.arn
  validation_record_fqdns = [for r in aws_route53_record.cert_validation : r.fqdn]
}
 
# ALB listener depends on validated certificate
resource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.main.arn
  port              = 443
  protocol          = "HTTPS"
  certificate_arn   = aws_acm_certificate_validation.main.certificate_arn
 
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.main.arn
  }
}

Solution 3: Region Mismatch

# 
# ALB cert must be in same region as ALB
# CloudFront cert must be in us-east-1
 
provider "aws" {
  alias  = "us_east_1"
  region = "us-east-1"
}
 
resource "aws_acm_certificate" "cloudfront_cert" {
  provider    = aws.us_east_1  # CloudFront requires us-east-1
  domain_name = "example.com"
  validation_method = "DNS"
}

Prevention Tips

#
  1. Pin provider versions — avoid surprise breaking changes
  2. Use CI/CD — catch errors before they hit production
  3. Test with terraform plan — always review before applying
  4. Keep Terraform updated — newer versions have better error messages
  5. Use terraform validate — catches syntax errors early

Hands-On Courses

#

Learn to avoid these errors with interactive, project-based courses:

#

Conclusion

#

This error is common and fixable. Follow the solutions above, and check our Terraform course for hands-on training that covers real-world troubleshooting scenarios.

#Terraform#Troubleshooting#DevOps#Error Fix#Infrastructure as Code

Share this article

Related articles