Following on from my earlier post I’ve improved two of the steps that I trampled over yesterday.

Install User Policy

I created an IAM user just to upload server certificates to AWS, and added the following Inline Policy to that user’s permissions:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "iam:UploadServerCertificate",
            "Resource": "*"

Upload Server Certificate

Using the AWS CLI I uploaded the certificate with the following command:

sudo aws iam upload-server-certificate \
  --server-certificate-name <LABEL> \
  --certificate-body file:///etc/letsencrypt/live/<DOMAIN>/cert.pem \
  --private-key file:///etc/letsencrypt/live/<DOMAIN>/privkey.pem \
  --certificate-chain file:///etc/letsencrypt/live/<DOMAIN>/chain.pem \
  --path /cloudfront/

where LABEL is an identifying string that will appear in the CloudFront UI, and DOMAIN is the domain the certificate was generated for.