This plugin creates a certificate in the region of the CloudFormation stack. Our region is eu-central-1, which means this is where it gets created.

The problem is that AWS requires certificates for the CloudFront always to be located in us-east-1, and in this situation the stack will fail with error:

Resource handler returned message: "Invalid request provided: Certificate must be in us-east-1. (Service: AppSync, Status Code: 400)

Understandably this plugin can't access regions other than the one in which the CloudFormation stack is. As a result, I don't think that the custom domain certificate generation feature could work in any other region than us-east-1.

We've resolved this by generating a certificate manually and referencing it using domain.certificateArn configuration.

It would probably make sense to make that clear in the documentation.