AWS ACM limits the number of certificates you can request per year. This error occurs when you exceed your account's certificate quota or domain limit. Resolve it by requesting a quota increase or reusing existing certificates.
AWS Certificate Manager (ACM) enforces quota limits to prevent abuse and manage resource allocation. When you hit a LimitExceededException, it means your AWS account has reached one of two types of limits: 1. **Certificate count limit**: By default, you can request 2,500 certificates per account. You can request up to 5,000 certificates in any 365-day period (twice your account quota). 2. **Domains per certificate limit**: Each ACM certificate can have a default maximum of 10 domain names (Subject Alternative Names). This can be increased up to 100 with a quota increase request. When Terraform attempts to create an ACM certificate and hits this limit, AWS returns a LimitExceededException error and the `aws_acm_certificate` resource creation fails.
Log into your AWS Console and navigate to AWS Certificate Manager. Count how many certificates you currently have, or use the AWS CLI:
aws acm list-certificates --region us-east-1This shows all certificates in the specified region. Note that ACM quotas are per-region per-account, so you'll need to check multiple regions if you use them.
Check if Terraform is trying to create duplicate certificates:
terraform state list | grep aws_acm_certificateIf the certificate already exists in state but you're getting an error, try:
terraform refreshThis updates your state file to match actual AWS resources. If the certificate exists in AWS but not in your Terraform state, import it:
terraform import aws_acm_certificate.example <certificate-arn>Get the certificate ARN from the AWS Console under Certificate Manager.
If your error message says "Certificate has too many domains", you're hitting the per-certificate domain limit. Split your domains across multiple certificates:
Instead of:
resource "aws_acm_certificate" "main" {
domain_name = "example.com"
subject_alternative_names = [
"api.example.com",
"app.example.com",
"cdn.example.com",
# ... many more domains
]
validation_method = "DNS"
}Use wildcards or split into multiple certificates:
resource "aws_acm_certificate" "main" {
domain_name = "example.com"
subject_alternative_names = ["*.example.com"]
validation_method = "DNS"
}
resource "aws_acm_certificate" "secondary" {
domain_name = "another.com"
subject_alternative_names = ["*.another.com"]
validation_method = "DNS"
}If you legitimately need more certificates or domains, request a quota increase:
1. Go to AWS Service Quotas console: https://console.aws.amazon.com/servicequotas
2. Search for "Certificate Manager"
3. Find the quota you need to increase:
- "Number of certificates per account" (currently 2,500)
- "Domain names per ACM certificate" (currently 10, max 100)
4. Click on the quota, then "Request quota increase"
5. Enter your desired value
6. Submit the request
AWS typically approves quota increases within minutes to hours. You'll receive an email confirmation.
If you don't need an increase, free up quota by deleting unused certificates:
# List certificates in AWS Console or via CLI
aws acm list-certificates --region us-east-1
# Delete a specific certificate (via Console)
# Note: You cannot delete a certificate in use by other AWS servicesCertificates deleted within the past 365 days still count against your yearly quota. If you're concerned about quota, requesting an increase is faster than waiting for the 365-day window to pass.
Once your quota increase is approved, retry your Terraform deployment:
terraform plan
terraform applyIf using CI/CD, ensure your pipeline has the latest AWS credentials with proper IAM permissions to create ACM certificates.
Why Terraform may create duplicate certificates: If your Terraform state file is stored locally or not properly persisted in a remote backend, Terraform loses track of created certificates. Each time you run terraform apply, it thinks the certificate doesn't exist and tries to create a new one. Always use a remote state backend (S3 + DynamoDB, Terraform Cloud, etc.) for production.
Multi-region considerations: ACM quotas are per-region. A certificate created in us-east-1 doesn't count toward quotas in us-west-2. However, if you're managing infrastructure across many regions, your global quota can still be exceeded.
Certificate lifecycle: Unlike some services, deleted ACM certificates still count toward your yearly quota for 365 days. This is to prevent abuse (repeatedly creating and deleting certificates). Plan your certificate strategy accordingly.
Wildcard certificates: Using wildcard domains (*.example.com) is a good way to reduce the number of domain entries per certificate without hitting the per-certificate domain limit.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform