Create the Certificate

Rather than having to stop the webserver I create the certificate manually:

./letsencrypt-auto certonly -a manual --rsa-key-size 2048 \
    -d -d

I read somewhere that keys greater than 2048 were not supported on CloudFront. I’ll investigate this when renewal is required.

During this process you will be asked to pass a challenge by creating a well known URL and returning some well known content.

Make sure your web server displays the following content at<RESOURCE NAME> \
before continuing:


This challenge has to be passed for each domain you pass to the command. In my case once for and another time for

Since doing this I’ve noticed the --webroot option can do this automatically. Next time around I’ll try that out.

Upload the Certificate to AWS

I created a new user in IAM and gave it full IAM access, e.g.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"

I’ll revisit this and narrow the scope of the allowed actions. Originally I set the Action to iam:UploadServerCertificate but I got a permission denied error, so I went full hog for the purposes of tonight’s experiment. See updated policy.

Then I copied the certificates I needed to a temporary directory and uploaded the certificate to AWS:

aws iam upload-server-certificate \
  --server-certificate-name \
  --certificate-body file://~/tmp/cert.pem \
  --private-key file://~/tmp/privkey.pem \
  --certificate-chain file://~/tmp/chain.pem \
  --path /cloudfront/

I tried copying from /etc/ but I was getting errors informing me that the certificate was not in PEM format. I assumed it was to do with the symlinks from the live directory to the archive directory. After consulting the help for the upload-server-certificate I discovered I had to use the file scheme.

I didn’t go back and try with the files in /etc/letsencrypt/, another thing to try next time out. See updated command.

Configure CloudFront

I then opened the distribution in the AWS Management Console, and pressed the ‘Edit’ button. Then I selected the ‘Custom SSL Certificate’ radio button, and selected

And that’s that. Plenty of room to improve this, and to automate the process so the renewals are seemless.