Let's Encrypt CloudFront

Create the Certificate

Rather than having to stop the webserver I create the certificate manually:

./letsencrypt-auto certonly -a manual --rsa-key-size 2048 \
    -d files.keyes.ie -d s.files.keyes.ie

I read somewhere that keys greater than 2048 were not supported on CloudFront. I’ll investigate this when renewal is required.

During this process you will be asked to pass a challenge by creating a well known URL and returning some well known content.

Make sure your web server displays the following content at
http://files.keyes.ie/.well-known/acme-challenge/<RESOURCE NAME> \
before continuing:

<RESOURCE CONTENT>
...

This challenge has to be passed for each domain you pass to the command. In my case once for files.keyes.ie and another time for s.files.keyes.ie.

Since doing this I’ve noticed the --webroot option can do this automatically. Next time around I’ll try that out.

Upload the Certificate to AWS

I created a new user in IAM and gave it full IAM access, e.g.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}

I’ll revisit this and narrow the scope of the allowed actions. Originally I set the Action to iam:UploadServerCertificate but I got a permission denied error, so I went full hog for the purposes of tonight’s experiment. See updated policy.

Then I copied the certificates I needed to a temporary directory and uploaded the certificate to AWS:

aws iam upload-server-certificate \
  --server-certificate-name files.keyes.ie \
  --certificate-body file://~/tmp/cert.pem \
  --private-key file://~/tmp/privkey.pem \
  --certificate-chain file://~/tmp/chain.pem \
  --path /cloudfront/

I tried copying from /etc/ but I was getting errors informing me that the certificate was not in PEM format. I assumed it was to do with the symlinks from the live directory to the archive directory. After consulting the help for the upload-server-certificate I discovered I had to use the file scheme.

I didn’t go back and try with the files in /etc/letsencrypt/, another thing to try next time out. See updated command.

Configure CloudFront

I then opened the distribution in the AWS Management Console, and pressed the ‘Edit’ button. Then I selected the ‘Custom SSL Certificate’ radio button, and selected files.keyes.ie.

And that’s that. Plenty of room to improve this, and to automate the process so the renewals are seemless.