When I was adding the IamCertificateId property to my AWS::CloudFront::Distribution in CloudFormation, I got the following error:

Resource handler returned message: “Invalid request provided: The specified SSL certificate doesn’t exist, isn’t in us-east-1 region, isn’t valid, or doesn’t include a valid certificate chain.”

I did make sure that the certificate exists, by running the aws iam list-server-certificates command and making sure the value of the IamCertificateId property matches the ASCA prefixed IAM ID of the certificate.

I am disregarding the us-east-1 region message since IAM is a global service and I’m not using an ACM certificate. Also, I’m operating in the China cn-north-1 region, in case that makes a difference.

I’m pretty sure the certificate is “valid”, because I’m assuming AWS wouldn’t have allowed me to upload the certificate with aws iam upload-server-certificate if it were malformed.

The error message, therefore, isn’t pointing me to the solution. What could I be missing?

Your certificate may be valid, but perhaps not valid for CloudFront. What the error message didn’t point out, is something you can find tucked away in the docs for uploading a certificate:

Note:
If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the path parameter. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/ ).

Therefore, make sure that you add --path "/cloudfront/" in your aws iam upload-server-certificate command.