Adding a default certificate to aws network load balancer error: certificate not found

Hi, I’m trying to create an aws network load balancer that attachs to some certificates in ACM. When running terraform I’m getting this error when setting up the default certificate:

module.swarm_cluster.module.network_lb.aws_lb_listener.listener-https-certs[0]: Still creating... [5m0s elapsed]
Error: Error creating LB Listener: CertificateNotFound: Certificate 'arn:aws:acm:us-east-2:828535259631:certificate/7632c411-02b1-4ac3-ad3c-c3de09b5b212' not found
        status code: 400, request id: 7a48106e-beff-4c62-a441-a31154470e6d

But the certificate does exists, I can get it using aws acm cli:

$ aws acm get-certificate --region us-east-2 --profile work --certificate-arn arn:aws:acm:us-east-2:828535259631:certificate/7632c411-02b1-4ac3-ad3c-c3de09b5b212
2b1-4ac3-ad3c-c3de09b5b212
{
    "Certificate": "-----BEGIN CERTIFICATE-----
...

This is the load balancer listener code:

resource "aws_lb_listener" "listener-https-certs" {
	count = var.attach_certificates ? 1 : 0
    load_balancer_arn       = aws_lb.load_balancer.arn
	port                = 443
	protocol            = "TLS"
	certificate_arn     = "arn:aws:acm:us-east-2:828535259631:certificate/7632c411-02b1-4ac3-ad3c-c3de09b5b212"

	default_action {
	target_group_arn = aws_lb_target_group.tg-https.arn
	type             = "forward"
	}
}

The terraform apply output for that resource:

# module.swarm_cluster.module.network_lb.aws_lb_listener.listener-https-certs[0] will be created
  + resource "aws_lb_listener" "listener-https-certs" {
      + arn               = (known after apply)
      + certificate_arn   = "arn:aws:acm:us-east-2:828535259631:certificate/7632c411-02b1-4ac3-ad3c-c3de09b5b212"
      + id                = (known after apply)
      + load_balancer_arn = "arn:aws:elasticloadbalancing:us-east-2:828535259631:loadbalancer/net/nlb-prod/be5676851ad42121"
      + port              = 443
      + protocol          = "TLS"
      + ssl_policy        = (known after apply)

      + default_action {
          + order            = (known after apply)
          + target_group_arn = "arn:aws:elasticloadbalancing:us-east-2:828535259631:targetgroup/prod-nlb-tg-443/ba6e028afd6683a7"
          + type             = "forward"
        }
    }

The curious thing is that this code was tested and working some weeks ago, the only thing different is that new certs were imported into ACM.

What could be making terraform think the certificate does not exist ?

full balancer code here: https://pastebin.com/aNh5F8sh

Someone on the gitter channel suggested to check that the certificates were in the same region than the one I’m using in terraform, but they are, I can see both the instances I’m deploying vía terraform and the certificates in ACM without changing regions (making sure of that).

So there is something more I’m not catching, any clues ? is my code ok ??

Is the new certificate fully validated?

I think I found the issue, as I remembered this has worked some weeks ago I went ahead and tested with an old certificate that was used at the time and terraform associated it as the default certificate without issues. so comparing that certificate with the new ones I found that the old certificate has an rsa 2048 bit length key and the new certificates is 4096 bits long. And it turns out network load balancers only support up to 2048 bits.