-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can generate initial certificate, but silently fails to renew #72
Comments
Since my cert was about to expire, I went and deleted the cert and recreated it, and as usual, it worked fine on the initial create:
Notably, there are extra HTTPS connections to |
@wisq can you please try the new version? I just pushed a new version that supports the renew motions. |
Hm, getting closer. Just tried this with 0.4.1, and it does seem to upload the new certificate (judging from the timestamps). However, it does not seem to update the CloudFront distribution to use the new cert (like it does when I first install a cert). |
I also tried version 0.4.1 and the renewal does not work because from |
I also just discovered that my certs are being renewed but not deployed. So running |
I spent some time on this today as it was time to renew again. I'm sorry I haven't made time yet to actually work up a patch for the plugin, but here's a breakdown of what's still going on. The certificate gets renewed and uploaded to IAM, but the CloudFront distribution config doesn't get updated. The new certificate ID is known:
But the distribution continues to use the old certificate ID:
Here's what I've been doing to deploy the certificate (licensed to whomever under MIT No Attribution): # Copyright (c) Andrew Jorgensen. All rights reserved.
# SPDX-License-Identifier: MIT-0
# Requires jq and assumes AWS CLI --output json
DISTRIBUTION_ID="<YOUR DISTRIBUTION ID>"
DISTRIBUTION_CONFIG="$(
aws cloudfront get-distribution-config \
--id "${DISTRIBUTION_ID}" \
| jq -c .)"
# FRAGILE! Picks a certificate created today (UTC).
CERTIFICATE_ID="$(
aws iam list-server-certificates \
| jq -r ".ServerCertificateMetadataList[]
| select(.UploadDate | startswith(\"$(date --utc +%F)T\"))
| .ServerCertificateId")"
aws cloudfront update-distribution \
--id "${DISTRIBUTION_ID}" \
--if-match "$(jq -r '.ETag' <<<"${DISTRIBUTION_CONFIG}")" \
--distribution-config "$(
jq -c --arg certificate "${CERTIFICATE_ID}" \
'.DistributionConfig
| .ViewerCertificate.IAMCertificateId = $certificate
| .ViewerCertificate.Certificate = $certificate' \
<<<"${DISTRIBUTION_CONFIG}")" I hope that's helpful to someone. I'll eventually get around to adding support to deploy the renewed and uploaded certificate, but I won't be sad if someone else gets to it before me. |
This has happened a number of times now — as far as I'm aware, certbot-s3front has never successfully renewed my CloudFront certificate, even though it can deploy the initial cert just fine (e.g. if I delete the
renewals/xxx.conf
file and re-run the initialcertbot
command).If I force a renewal:
The cert on disk is updated, but the actual cert remains unchanged in AWS:
I'm using the sample AWS policy linked in the readme.
Anything I can do to diagnose this further?
The text was updated successfully, but these errors were encountered: