我收到来自AWS的证书过期警告消息。它包含这个短语:
ACM was unable to renew the certificate automatically because of the following error: PCA_ACCESS_DENIED.
这是什么意思,我如何修复它?
检查私有证书颁发机构并选择Actions|Configure CA Permissions。确保授权ACM续签该帐户请求的证书检查。
使用AWS CLI (cloudshell)执行如下命令:
aws acm-pca list-permissions——certificate-authority-arn "arn:aws:acm-pca:us-east-2:ACCOUNTNUMBER:certificate-authority/xxxxxxxx -b0e1-446e-a2ec-6f6c466e4684">
如果你回来了:
{
"Permissions": []
}
表示CA未被授权续签证书。
您的权限应该类似:
{
"Permissions": [
{
"CertificateAuthorityArn": "arn:aws:acm-pca:us-east-2: ACCOUNTNUMBER:certificate-authority/xxxxxxx-b0e1-446e-a2ec-6f6c466e4684",
"CreatedAt": "2022-07-15T16:21:51.890000+00:00",
"Principal": "acm.amazonaws.com",
"SourceAccount": "ACCOUNTNUMBER",
"Actions": [
"GetCertificate",
"IssueCertificate",
"ListPermissions"
],
"Policy": "{"Version":"2012-10-17","Statement":[{"Sid":"1","Effect":"Allow","Principal":{"Service":"acm.amazonaws.com"},"Action":["acm-pca:GetCertificate","acm-pca:IssueCertificate","acm-pca:ListPermissions"],"Resource":"arn:aws:acm-pca:us-east-2:ACCOUNTNUMBER:certificate-authority/xxxxxxx-b0e1-446e-a2ec-6f6c466e4684","Condition":{"StringEquals":{"aws:SourceAccount":"ACCOUNTNUMBER"}}}]}"
}
]
}