dlapiduz / certbot-s3front Goto Github PK

first the Big python problem between python2 and python3 just to got it to install from pip on python2.7 when my system is python3 was already a mess and maybe why this is failing..
then I had to use pip with sudo...
now I run your script and says it cant handle brackets.. and I installed many times letsencrypt just not on AWS/S3 and never seen any letsencrypt option that allows for brackets.

sudo ./letsencrypt.sh 
usage: 
  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins
letsencrypt: error: unrecognized arguments: [

update1:

I deleted that whole line
and now starts the menu.
but I get:

error occurred (NoSuchEntity) when calling the                    │  
                        │ DeleteServerCertificate operation: The Server Certificate with name  │  
                        │ le-hispagatos.org cannot be found.

and

An unexpected error occurred:
ClientError: An error occurred (IllegalUpdate) when calling the UpdateDistribution operation: Only one viewer certificate change may be in progress at a time.
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/XXXXMYDOMAINXXXX/fullchain.pem. Your cert will
   expire on 2016-08-07. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

verbose log as below, any idea?

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator certbot-s3front:auth and installer certbot-s3front:installer
Single candidate plugin: * certbot-s3front:installer
Description: S3/CloudFront Installer
Interfaces: IInstaller, IPlugin
Entry point: installer = certbot_s3front.installer:Installer
Initialized: <certbot_s3front.installer.Installer object at 0x10bd31310>
Prep: True
Single candidate plugin: * certbot-s3front:auth
Description: S3/CloudFront Authenticator
Interfaces: IAuthenticator, IPlugin
Entry point: auth = certbot_s3front.authenticator:Authenticator
Initialized: <certbot_s3front.authenticator.Authenticator object at 0x10b5ef690>
Prep: True
Selected authenticator <certbot_s3front.authenticator.Authenticator object at 0x10b5ef690> and installer <certbot_s3front.installer.Installer object at 0x10bd31310>
Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:[email protected]',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x10bd31610>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/19021102', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), ddd80b403fe56d9116cbc2e8cfdece4f, Meta(creation_host=u'lianmeng-C02SG119G8WL', creation_dt=datetime.datetime(2017, 7, 22, 0, 11, 56, tzinfo=)))>
Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 561
Replay-Nonce: y_yyjW5RBDgqTlp-KoigRtw9_viNVIAslaYQV61Wpxs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 11 Oct 2017 03:36:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 11 Oct 2017 03:36:44 GMT
Connection: keep-alive

{
"estrD8o6IDg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
Auto-renewal forced with --force-renewal...
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: TTM7V7GtUWxFQSrFiiVoRkPPiwnEPbWD68EjTseI7H0
Expires: Wed, 11 Oct 2017 03:36:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 11 Oct 2017 03:36:44 GMT
Connection: keep-alive

Storing nonce: TTM7V7GtUWxFQSrFiiVoRkPPiwnEPbWD68EjTseI7H0
JWS payload:
{
"identifier": {
"type": "dns",
"value": "www.teeterpal.com"
},
"resource": "new-authz"
}
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"protected": "eyJub25jZSI6ICJUVE03VjdHdFVXeEZRU3JGaWlWb1JrUFBpd25FUGJXRDY4RWpUc2VJN0gwIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAidTM0ZUJyb1hBNHFjbjJXUEswdzl4RDRDSEJQMHFFTzlhWnBWS2ZXbzZFaEtTYVV3bkZySjY1YjBRajUtalpCejktSXVkVHhacFZVSUN0OTVsT2lmbnE5R3hXbjZONDhES0dpLVV5TFVEenVGUk1JTWZIcktIaE83MmY1aER2LTE5TU5hZnBzTWpkN1FVbHNtZEZxY25UNWZZbjcxc3dSS0M5OVZSSWU5Z3hQbnJwMTVLZk1XUG4tMy1HQVFlaUl4X296eFY0TTU1aTFkVS1ROXdHTVFxbzNBNGtYTkNlRmgwWVBwUzVTVGtYMnhhRVlOMzRMS090YnBUZ1NVS0JNanRyNkY0djhwak5XT2k1LUtPbVhrV212bURNR3E3UHMwOFk3WmJYb0FvbnlLUnJvUEhaNGJCbjVfLUJVNDU3MGo0bHlNc2JvOEs5WjMwMW1lUTNQT1RRIn19",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid3d3LnRlZXRlcnBhbC5jb20iCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ",
"signature": "r1z1_m1coifKwapey0fmcb3LXWm68r1wmyYQr3kgRQDs9FndgG5CYvPOSW4adZqdvfOvzW9QqF8Dw6wRSwbnpD9FWw6px4MeIC1uuW_us0YcWXHn_V9MxM-c6Nz0udA1QGnujF8igv9JPsb3ZS7i_rdLjIztdbM801NiuaH6cWuUj6oy_m8auxBp-OMtiiXNNZV1zP9hpfbLV-j5_p5PwpA-LkFNKTa4QWPuiYhJd93Lz2Frcw_nAAlpmRbAprG07Elio1kD8SgthAm6Hy0SDQCXYZUWYgk2CsW53-ez672UoVt2GzjUTVwlhbhE1sogglys1WGxzutpxWoQDXXAxA"
}
https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 995
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 995
Boulder-Requester: 19021102
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ
Replay-Nonce: l7VPBR1kM8h_DKtQuqa0r4_irWEbAYpDYKIc9v4S0_4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 11 Oct 2017 03:36:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 11 Oct 2017 03:36:44 GMT
Connection: keep-alive

{
"identifier": {
"type": "dns",
"value": "www.teeterpal.com"
},
"status": "pending",
"expires": "2017-10-18T02:27:07Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ/2177779021",
"token": "hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ/2177779022",
"token": "6YInFDE_3T9wPc469voVfOsJXIoiq0StMUJcXDTtxXs"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ/2177779023",
"token": "oEs6huDhSoA78D_5u1Uy3XUXHkKf0fjTRUDHmtTngkQ"
}
],
"combinations": [
[
1
],
[
2
],
[
0
]
]
}
Storing nonce: l7VPBR1kM8h_DKtQuqa0r4_irWEbAYpDYKIc9v4S0_4
Performing the following challenges:
http-01 challenge for www.teeterpal.com
Loading JSON file: /usr/local/lib/python2.7/site-packages/boto3/data/s3/2006-03-01/resources-1.json
Looking for credentials via: env
Found credentials in environment variables.
Loading JSON file: /Users/lianmeng/Library/Python/2.7/lib/python/site-packages/botocore/data/endpoints.json
Loading JSON file: /Users/lianmeng/Library/Python/2.7/lib/python/site-packages/botocore/data/s3/2006-03-01/service-2.json
Loading JSON file: /Users/lianmeng/Library/Python/2.7/lib/python/site-packages/botocore/data/_retry.json
Registering retry handlers for service: s3
Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x10bc97938>
Event creating-client-class.s3: calling handler <function _handler at 0x10be86578>
Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x10bc97758>
The s3 config key is not a dictionary type, ignoring its value of: None
Setting s3 timeout as (60, 60)
Defaulting to S3 virtual host style addressing with path style addressing fallback.
Loading s3:s3
Loading s3:Bucket
Renaming Bucket attribute name
Event creating-resource-class.s3.Bucket: calling handler <function _handler at 0x10be866e0>
Calling s3:put_object with {'Body': u'hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0.Yk2mV5X9pgphhnYd_OkD8G56Z7WH6Wn2mvuO8aeUFdw', u'Bucket': 'www.teeterpal.com', 'Key': u'.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'ACL': 'public-read'}
Event before-parameter-build.s3.PutObject: calling handler <function validate_ascii_metadata at 0x10bccb2a8>
Event before-parameter-build.s3.PutObject: calling handler <function sse_md5 at 0x10bcc97d0>
Event before-parameter-build.s3.PutObject: calling handler <function convert_body_to_file_like_object at 0x10bccb8c0>
Event before-parameter-build.s3.PutObject: calling handler <function validate_bucket_name at 0x10bcc9758>
Event before-parameter-build.s3.PutObject: calling handler <bound method S3RegionRedirector.redirect_from_cache of <botocore.utils.S3RegionRedirector object at 0x10d4b3510>>
Event before-parameter-build.s3.PutObject: calling handler <function generate_idempotent_uuid at 0x10bcc9410>
Event before-call.s3.PutObject: calling handler <function conditionally_calculate_md5 at 0x10bcc96e0>
Event before-call.s3.PutObject: calling handler <function add_expect_header at 0x10bcc9b90>
Adding expect 100 continue header to request.
Event before-call.s3.PutObject: calling handler <bound method S3RegionRedirector.set_request_url of <botocore.utils.S3RegionRedirector object at 0x10d4b3510>>
Making request for OperationModel(name=PutObject) (verify_ssl=True) with params: {'body': <StringIO.StringIO instance at 0x10d519f80>, 'url': u'https://s3.amazonaws.com/www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'headers': {'Content-MD5': u'bdmzmLm1jdGZmU3d8KMvtQ==', 'Expect': '100-continue', u'x-amz-acl': 'public-read', 'User-Agent': 'Boto3/1.4.4 Python/2.7.13 Darwin/16.0.0 Botocore/1.5.77 Resource'}, 'context': {'auth_type': None, 'client_region': 'us-east-1', 'signing': {'bucket': 'www.teeterpal.com'}, 'has_streaming_input': True, 'client_config': <botocore.config.Config object at 0x10d4b31d0>}, 'query_string': {}, 'url_path': u'/www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'method': u'PUT'}
Event request-created.s3.PutObject: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10d431110>>
Event choose-signer.s3.PutObject: calling handler <bound method ClientCreator._default_s3_presign_to_sigv2 of <botocore.client.ClientCreator object at 0x10bfa7310>>
Event choose-signer.s3.PutObject: calling handler <function set_operation_specific_signer at 0x10bcc9320>
Event before-sign.s3.PutObject: calling handler <function fix_s3_host at 0x10bba69b0>
Calculating signature using v4 auth.
CanonicalRequest:
PUT
/www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0

content-md5:bdmzmLm1jdGZmU3d8KMvtQ==
host:s3.amazonaws.com
x-amz-acl:public-read
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:20171011T033644Z

content-md5;host;x-amz-acl;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD
StringToSign:
AWS4-HMAC-SHA256
20171011T033644Z
20171011/us-east-1/s3/aws4_request
482b5ea234dcf27cc9b4fa75b7cce9216e275d57808a6f924f2b32e8d64e9396
Signature:
83c4bceb84f59e021553ec896d4df1667d81f71a3daccc34e5099cfb96d3ae15
Sending http request: <PreparedRequest [PUT]>
Starting new HTTPS connection (1): s3.amazonaws.com
Waiting for 100 Continue response.
100 Continue response seen, now sending request body.
"PUT /www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0 HTTP/1.1" 200 0
Response headers: {'content-length': '0', 'x-amz-id-2': 'CFdFZP/dwiEANPa2BRfDkWTa61soKlqCH/kgIPRNnOvnszf3/Am8sYyJTxtWZ/CogNsF8gAGX9A=', 'server': 'AmazonS3', 'x-amz-request-id': '63C2F4DC5254FCDA', 'etag': '"6dd9b398b9b58dd199994dddf0a32fb5"', 'date': 'Wed, 11 Oct 2017 03:36:46 GMT'}
Response body:

Event needs-retry.s3.PutObject: calling handler <botocore.retryhandler.RetryHandler object at 0x10d3d0550>
No retry needed.
Event needs-retry.s3.PutObject: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x10d4b3510>>
Response: {u'ETag': '"6dd9b398b9b58dd199994dddf0a32fb5"', 'ResponseMetadata': {'HTTPStatusCode': 200, 'RetryAttempts': 0, 'HostId': 'CFdFZP/dwiEANPa2BRfDkWTa61soKlqCH/kgIPRNnOvnszf3/Am8sYyJTxtWZ/CogNsF8gAGX9A=', 'RequestId': '63C2F4DC5254FCDA', 'HTTPHeaders': {'content-length': '0', 'x-amz-id-2': 'CFdFZP/dwiEANPa2BRfDkWTa61soKlqCH/kgIPRNnOvnszf3/Am8sYyJTxtWZ/CogNsF8gAGX9A=', 'server': 'AmazonS3', 'x-amz-request-id': '63C2F4DC5254FCDA', 'etag': '"6dd9b398b9b58dd199994dddf0a32fb5"', 'date': 'Wed, 11 Oct 2017 03:36:46 GMT'}}}
Loading s3:Object
Event creating-resource-class.s3.Object: calling handler <function _handler at 0x10beedc80>
Verifying http-01 at http://www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0...
Starting new HTTP connection (1): www.teeterpal.com
http://www.teeterpal.com:80 "GET /.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0 HTTP/1.1" 200 1288
Received <Response [200]>:

<link type="text/css" rel="stylesheet" media="all" href="//d3obslvgayxcv1.cloudfront.net/css/app.0.0.18.1006171819.css" />

host:s3.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20171011T033645Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign:
AWS4-HMAC-SHA256
20171011T033645Z
20171011/us-east-1/s3/aws4_request
296efa578e35d77f46225e155d38b09e8acc8ef58f04980eec9448f408f06d33
Signature:
e8f5f17710d9585647380473735c3660ca0e72da1b33e9240bbafe3873c3a606
Sending http request: <PreparedRequest [DELETE]>
Starting new HTTPS connection (1): s3.amazonaws.com
"DELETE /www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0 HTTP/1.1" 204 0
Response headers: {'x-amz-id-2': 'lPbhgHuLkNorvEL4O8CbOmVr3PuP/YQfCH+z21oWNOscJhV9FS3+xi2pme0YYlbaN4KuCxX870s=', 'date': 'Wed, 11 Oct 2017 03:36:46 GMT', 'x-amz-request-id': '32EC7175E25BFC5D', 'server': 'AmazonS3'}
Response body:

Event needs-retry.s3.DeleteObject: calling handler <botocore.retryhandler.RetryHandler object at 0x10d3d0550>
No retry needed.
Event needs-retry.s3.DeleteObject: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x10d54b9d0>>
Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in
sys.exit(main())
File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 743, in main
return config.func(config, plugins)
File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 598, in run
certname, lineage)
File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 317, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 84, in get_authorizations
self.verify_authzr_complete()
File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 298, in verify_authzr_complete
raise errors.AuthorizationError("Incomplete authorizations")
AuthorizationError: Incomplete authorizations
Incomplete authorizations

attempting to run on OS X 10.11. The client starts up and allows to enter the email address for "urgent notices". Afterwards crashes with the following error:

ValueError: Invalid header value 'CertbotACMEClient/0.8.0 (darwin 10.11.4\n) Authenticator/letsencrypt-s3front:auth Installer/letsencrypt-s3front:installer'

Got this error:

$ cat upload-ssl-s3.sh
#!/bin/bash

source /home/foo/.local/share/letsencrypt/bin/activate

AWS_ACCESS_KEY_ID=XXX \
AWS_SECRET_ACCESS_KEY=XXX \
certbot --agree-tos -a certbot-s3front:auth \
--certbot-s3front:auth-s3-bucket XXX \
--certbot-s3front:auth-s3-region us-east-1 \
-i certbot-s3front:installer \
--certbot-s3front:installer-cf-distribution-id XXX \
-d mydomain.com

$ bash upload-ssl-s3.sh
usage:
  letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --certbot-s3front:auth-s3-bucket XXX --certbot-s3front:auth-s3-region us-east-1 --certbot-s3front:installer-cf-distribution-id XXX

Any ideas?

Hello,

I have used certbot-s3front with success in the past but I can't get it to work with 0.23.0

I have tried to uninstall and reinstall , I get this:

# pip install certbot-s3front
Requirement already satisfied: certbot-s3front in /usr/local/lib/python2.7/dist-packages (0.3.1)
Requirement already satisfied: boto3 in /usr/local/lib/python2.7/dist-packages (from certbot-s3front) (1.4.7)
Requirement already satisfied: mock in /usr/local/lib/python2.7/dist-packages (from certbot-s3front) (2.0.0)
Requirement already satisfied: acme>=0.1.1 in /usr/local/lib/python2.7/dist-packages (from certbot-s3front) (0.18.1)
Requirement already satisfied: zope.interface in /usr/local/lib/python2.7/dist-packages (from certbot-s3front) (4.4.2)
Requirement already satisfied: PyOpenSSL in /usr/local/lib/python2.7/dist-packages (from certbot-s3front) (17.3.0)
Requirement already satisfied: certbot>=0.9.3 in /usr/local/lib/python2.7/dist-packages (from certbot-s3front) (0.18.1)
Requirement already satisfied: setuptools in /usr/local/lib/python2.7/dist-packages (from certbot-s3front) (36.5.0)
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/local/lib/python2.7/dist-packages (from boto3->certbot-s3front) (0.9.3)
Requirement already satisfied: botocore<1.8.0,>=1.7.0 in /usr/local/lib/python2.7/dist-packages (from boto3->certbot-s3front) (1.7.11)
Requirement already satisfied: s3transfer<0.2.0,>=0.1.10 in /usr/local/lib/python2.7/dist-packages (from boto3->certbot-s3front) (0.1.11)
Requirement already satisfied: funcsigs>=1; python_version < "3.3" in /usr/local/lib/python2.7/dist-packages (from mock->certbot-s3front) (1.0.2)
Requirement already satisfied: six>=1.9 in /usr/local/lib/python2.7/dist-packages (from mock->certbot-s3front) (1.10.0)
Requirement already satisfied: pbr>=0.11 in /usr/local/lib/python2.7/dist-packages (from mock->certbot-s3front) (3.1.1)
Requirement already satisfied: pytz in /usr/local/lib/python2.7/dist-packages (from acme>=0.1.1->certbot-s3front) (2017.2)
Requirement already satisfied: pyrfc3339 in /usr/local/lib/python2.7/dist-packages (from acme>=0.1.1->certbot-s3front) (1.0)
Requirement already satisfied: cryptography>=0.8 in /usr/local/lib/python2.7/dist-packages (from acme>=0.1.1->certbot-s3front) (2.0.3)
Requirement already satisfied: requests[security]>=2.4.1 in /usr/local/lib/python2.7/dist-packages (from acme>=0.1.1->certbot-s3front) (2.18.4)
Requirement already satisfied: zope.component in /usr/local/lib/python2.7/dist-packages (from certbot>=0.9.3->certbot-s3front) (4.4.0)
Requirement already satisfied: parsedatetime>=1.3 in /usr/local/lib/python2.7/dist-packages (from certbot>=0.9.3->certbot-s3front) (2.4)
Requirement already satisfied: configobj in /usr/lib/python2.7/dist-packages (from certbot>=0.9.3->certbot-s3front) (5.0.6)
Requirement already satisfied: ConfigArgParse>=0.9.3 in /usr/local/lib/python2.7/dist-packages (from certbot>=0.9.3->certbot-s3front) (0.12.0)
Requirement already satisfied: docutils>=0.10 in /usr/local/lib/python2.7/dist-packages (from botocore<1.8.0,>=1.7.0->boto3->certbot-s3front) (0.14)
Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in /usr/local/lib/python2.7/dist-packages (from botocore<1.8.0,>=1.7.0->boto3->certbot-s3front) (2.6.1)
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /usr/local/lib/python2.7/dist-packages (from s3transfer<0.2.0,>=0.1.10->boto3->certbot-s3front) (3.1.1)
Requirement already satisfied: idna>=2.1 in /usr/local/lib/python2.7/dist-packages (from cryptography>=0.8->acme>=0.1.1->certbot-s3front) (2.6)
Requirement already satisfied: asn1crypto>=0.21.0 in /usr/local/lib/python2.7/dist-packages (from cryptography>=0.8->acme>=0.1.1->certbot-s3front) (0.22.0)
Requirement already satisfied: enum34 in /usr/local/lib/python2.7/dist-packages (from cryptography>=0.8->acme>=0.1.1->certbot-s3front) (1.1.6)
Requirement already satisfied: ipaddress in /usr/local/lib/python2.7/dist-packages (from cryptography>=0.8->acme>=0.1.1->certbot-s3front) (1.0.18)
Requirement already satisfied: cffi>=1.7 in /usr/local/lib/python2.7/dist-packages (from cryptography>=0.8->acme>=0.1.1->certbot-s3front) (1.10.0)
Requirement already satisfied: urllib3<1.23,>=1.21.1 in /usr/local/lib/python2.7/dist-packages (from requests[security]>=2.4.1->acme>=0.1.1->certbot-s3front) (1.22)
Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python2.7/dist-packages (from requests[security]>=2.4.1->acme>=0.1.1->certbot-s3front) (2017.7.27.1)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/dist-packages (from requests[security]>=2.4.1->acme>=0.1.1->certbot-s3front) (3.0.4)
Requirement already satisfied: zope.event in /usr/local/lib/python2.7/dist-packages (from zope.component->certbot>=0.9.3->certbot-s3front) (4.3.0)
Requirement already satisfied: future in /usr/local/lib/python2.7/dist-packages (from parsedatetime>=1.3->certbot>=0.9.3->certbot-s3front) (0.16.0)
Requirement already satisfied: pycparser in /usr/local/lib/python2.7/dist-packages (from cffi>=1.7->cryptography>=0.8->acme>=0.1.1->certbot-s3front) (2.18)

But can't get it to show up in certbot plugins:

# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

* nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
-------------------------------------------------------------------------------

I checked and certbot is using python 2.7. Not sure how to get certbot to see the s3front install.

I'm trying to automate the cert renewal and installation with the following command:

AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXX" \
AWS_SECRET_ACCESS_KEY="XXXXXXXXXXXXXXXXXXXXXX" \
letsencrypt --agree-tos -a letsencrypt-s3front:auth \
--letsencrypt-s3front:auth-s3-bucket assets.bradt.ca \
-i letsencrypt-s3front:installer \
--letsencrypt-s3front:installer-cf-distribution-id XXXXXXXXXX \
-d assets.bradt.ca --renew-by-default --text

Unfortunately I'm still getting the following prompt:

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Any ideas how to get rid of it? Is there a CLI switch that I could set?

This seems to be a good solution for automating the updating of SSL certificate.

I am unclear on a few things.

On what computer do I need to install the scripts? Would it be the S3 bucket? I SSH into the bucket and run them?

This command would be run also in the S3 bucket?

AWS_ACCESS_KEY_ID="your_key" \
AWS_SECRET_ACCESS_KEY="your_secret" \
letsencrypt --agree-tos -a letsencrypt-s3front:auth \
--letsencrypt-s3front:auth-s3-bucket the_bucket \
[ --letsencrypt-s3front:auth-s3-region your-bucket-region-name ] (default is us-east-1) \
-i letsencrypt-s3front:installer \
--letsencrypt-s3front:installer-cf-distribution-id your_cf_distribution_id \
-d the_domain

...and these are the variables that I need to change?

• your_key
• your_secret
• the_bucket
• your-bucket-region-name
• your_cf_distribution_id
• the_domain

My setup is for a images CDN which uses S3 bucket and CloudFront.

I'm receiving following error when using region us-west-1, it goes back to default region:
Thanks!

CLI command:

certbot --agree-tos -a certbot-s3front:auth --certbot-s3front:auth-s3-bucket domainame.com --certbot-s3front:auth-s3-region "us-west-1" -i certbot-s3front:installer --certbot-s3front:installer-cf-distribution-id "CF_DISTRIBUTION_ID" -d domainame.com

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/domain.com-0001.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Found credentials in shared credentials file: ~/.aws/credentials
Starting new HTTPS connection (1): iam.us-east-1a.amazonaws.com
Starting new HTTPS connection (2): iam.us-east-1a.amazonaws.com
Starting new HTTPS connection (3): iam.us-east-1a.amazonaws.com
Starting new HTTPS connection (4): iam.us-east-1a.amazonaws.com
Starting new HTTPS connection (5): iam.us-east-1a.amazonaws.com
An unexpected error occurred:
EndpointConnectionError: Could not connect to the endpoint URL: "https://iam.us-east-1a.amazonaws.com/"
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain.com-0001/fullchain.pem. Your
   cert will expire on 2017-09-17. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again with
   the "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
sh: parse_git_branch: command not found

I'm trying to add another subdomain, which is using a different cloudfront distribution and a different s3 bucket but for some reason certbot is trying to compare the new subdomain with the one I already have so I returns and error like:

Unable to reach │ │ http://stage.talkcenter.io/.well-known/acme-challenge/8N3XE70-11f8HT │ │ ojRpPv_kmaI2JLYjXwGutoiroalJw: hostname 'stage.talkcenter.io' │ │ doesn't match 'app.talkcenter.io' │ │ Self-verify of challenge failed, authorization abandoned!

Can you help me on this?

It seems certbot is using python3 nowadays, while certbot-s3front still requires python2 (and installs its files in /usr/lib/python2.7/site-packages/). This is what causes #55

Is certbot-s3front supposed to work with python3?

Hello, I'm new to this lib and would like to use it so I can update certificates to our Cloudfront distributions

In your README.md you have this example:

AWS_ACCESS_KEY_ID="REPLACE_WITH_YOUR_KEY" \
AWS_SECRET_ACCESS_KEY="REPLACE_WITH_YOUR_SECRET" \
certbot --agree-tos -a certbot-s3front:auth \
--certbot-s3front:auth-s3-bucket REPLACE_WITH_YOUR_BUCKET_NAME \
[ --certbot-s3front:auth-s3-region your-bucket-region-name ] #(the default is us-east-1, unless you want to set it to something else, you can delete this line) \
[ --certbot-s3front:auth-s3-directory your-bucket-directory ] # (default is "") \
-i certbot-s3front:installer \
--certbot-s3front:installer-cf-distribution-id REPLACE_WITH_YOUR_CF_DISTRIBUTION_ID \
-d REPLACE_WITH_YOUR_DOMAIN

Just a few questions:

• May I ask if the s3 buckets are important to be declared?
• Will it be enough just to upload to a cloudfront distribution? Will this command will work?

AWS_ACCESS_KEY_ID="REPLACE_WITH_YOUR_KEY" \
AWS_SECRET_ACCESS_KEY="REPLACE_WITH_YOUR_SECRET" \
certbot --agree-tos -a certbot-s3front:auth \
--certbot-s3front:installer-cf-distribution-id REPLACE_WITH_YOUR_CF_DISTRIBUTION_ID \
-d REPLACE_WITH_YOUR_DOMAIN

Thanks for the assist!

This used to work.. now is not.. :(
here is the output.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hispagatos.org
http-01 challenge for www.hispagatos.org
Found credentials in environment variables.
Calling s3:put_object with {'Body': u'9AZLyl7URXoF1NYvpOqnCunhodUEtGp9cfp8r1EJP-A.zTD5knHml5ZED7dF-PxySbu-elhed47te-VNfdEeobY', u'Bucket': 'hispagatos.org', 'Key': u'.well-known/acme-challenge/9AZLyl7URXoF1NYvpOqnCunhodUEtGp9cfp8r1EJP-A', 'ACL': 'public-read'}
Starting new HTTPS connection (1): s3.amazonaws.com
Unable to reach http://hispagatos.org/.well-known/acme-challenge/9AZLyl7URXoF1NYvpOqnCunhodUEtGp9cfp8r1EJP-A: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
Self-verify of challenge failed, authorization abandoned!
Calling s3:put_object with {'Body': u'VQZcK1h7NKR3D6t9mSFfA0TOpCIDH4UYVoJECWy67pA.zTD5knHml5ZED7dF-PxySbu-elhed47te-VNfdEeobY', u'Bucket': 'hispagatos.org', 'Key': u'.well-known/acme-challenge/VQZcK1h7NKR3D6t9mSFfA0TOpCIDH4UYVoJECWy67pA', 'ACL': 'public-read'}
Starting new HTTPS connection (1): s3.amazonaws.com
Unable to reach http://www.hispagatos.org/.well-known/acme-challenge/VQZcK1h7NKR3D6t9mSFfA0TOpCIDH4UYVoJECWy67pA: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
Self-verify of challenge failed, authorization abandoned!
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): s3.amazonaws.com
Incomplete authorizations

I'm currently trying to generate a certificate with this plugin for my S3 bucket which is being used solely as a CDN (just image files) being served from a subdomain on my website.

This is running on a Laravel Forge server where letsencrypt had already been installed and then used to generate a certificate for a domain on the server. This is something that Forge handled itself.

Due to this, I was going off what was said in #8 and ran the source command prior to installing s3front, but when I try to generate the certificate I receive the following error:

Traceback (most recent call last):
  File "/usr/local/bin/letsencrypt", line 7, in <module>
    from letsencrypt.cli import main
  File "/usr/local/lib/python2.7/dist-packages/letsencrypt/cli.py", line 18, in <module>
    import zope.component
  File "/usr/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
    from zope.interface import Interface
ImportError: No module named interface

Any suggestions? I've got no prior experience with using source/virtualenv. Should I be installing any other pip packages under source?

I also previously managed to manually generate a certificate for my S3 bucket using the below command:

sudo -H /root/letsencrypt/letsencrypt-auto certonly -a manual -d $bucket --rsa-key-size 2048 --server https://acme-v01.api.letsencrypt.org/directory --agree-tos --manual-public-ip-logging-ok

I had to obviously upload that manually using awscli but that's not very practical. Would rather be able to get a less manual solution in place and this seemed like an ideal solution. Especially if the auto renew will work.

An unexpected error occurred:
DialogError
Please see the logfiles in /var/log/letsencrypt for more details.

attach is the log file
letsencrypt.txt

We serve multiple CloudFront distributions from a single S3 bucket via multiple S3 directories (prefixes) and CloudFront's origin path setting.

Currently, letsencrypt-s3front will upload its auth challenge file to the root of the S3 bucket ([bucket]/.well-known/…), which will fail verification ("Self-verify of challenge failed, authorization abandoned!").

I think this could be supported via a new flag that prepends the directory name to the Key keyword argument of _perform_single and cleanup.

letsencrypt-s3front v0.1.3.

Reading the install docs for letsencrypt I noticed it says that installing through pip install is neither recommended nor supported. Instead, they say to use letsencrypt-auto. However, I don't know how to use this plugin in conjunction with the auto version of letsencrypt. Any clues?

hi im trying to install letsencrypt to my s3 bucket.
i have error like this

InvalidDNSNameError: Bucket named my.example.com is not DNS compatible ..

what i've missed ?

thanks :)

OS: Ubuntu

I have installed the plugin via pip and set my two Access Key variables. When I run the following command...

sudo certbot --agree-tos -a certbot-s3front:auth \ --certbot-s3front:auth-s3-bucket <my_bucket_name> \ --certbot-s3front:auth-s3-region us-east-1 \ -i certbot-s3front:installer \ --certbot-s3front:installer-cf-distribution-id <my_distribution_ID> \ -d <my_domain> \ --renew-by-default --text

... I get the following error...

... Plugins selected: Authenticator certbot-s3front:auth, Installer certbot-s3front:installer Obtaining a new certificate Performing the following challenges: http-01 challenge for <my_domain> Starting new HTTP connection (1): 169.254.169.254 Cleaning up challenges Starting new HTTP connection (1): 169.254.169.254 Encountered exception during recovery Unable to locate credentials Traceback (most recent call last): File "/home/stephen/.local/lib/python2.7/site-packages/certbot/error_handler.py", line 103, in _call_registered self.funcs[-1]() File "/home/stephen/.local/lib/python2.7/site-packages/certbot/auth_handler.py", line 308, in _cleanup_challenges self.auth.cleanup(achalls) File "/usr/local/lib/python2.7/dist-packages/certbot_s3front/authenticator.py", line 85, in cleanup Key=self._get_key(achall)) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/client.py", line 314, in _api_call return self._make_api_call(operation_name, kwargs) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/client.py", line 599, in _make_api_call operation_model, request_dict) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/endpoint.py", line 148, in make_request return self._send_request(request_dict, operation_model) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/endpoint.py", line 173, in _send_request request = self.create_request(request_dict, operation_model) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/endpoint.py", line 157, in create_request operation_name=operation_model.name) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/hooks.py", line 227, in emit return self._emit(event_name, kwargs) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/hooks.py", line 210, in _emit response = handler(**kwargs) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/signers.py", line 90, in handler return self.sign(operation_name, request) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/signers.py", line 156, in sign auth.add_auth(request) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/auth.py", line 420, in add_auth super(S3SigV4Auth, self).add_auth(request) File "/home/stephen/.local/lib/python2.7/site-packages/botocore/auth.py", line 352, in add_auth raise NoCredentialsError NoCredentialsError: Unable to locate credentials An unexpected error occurred: NoCredentialsError: Unable to locate credentials Please see the logfiles in /var/log/letsencrypt for more details.

This is an awesome plugin! Thanks for creating this. I put together a quick how-to on turning the letsencrypt CLI with this plugin into an AWS Lambda function that can be setup to run on a regular schedule. This gives you a nice automated, server free, hands off process for using this plugin. I figured I'd at least share it here, for anyone interested. As this isn't really an issue, feel free to close.

Hi,

I have a blog running on s3 setted up like http://docs.aws.amazon.com/gettingstarted/latest/swh/website-hosting-intro.html

So I have a https://domain.org which is working fine with a letsencrypt cert through your script.

But when surfing through https://www.domain.org it's failing cause the server's certificate doesn't match the url.

I tried adding an additional domain with the -d parameter pointing to www.domain.org but then the script is failing.

2016-02-22 03:22:43,064:ERROR:acme.challenges:Unable to reach http://www.domain.org/.well-known/acme-challenge/TvngOJZhOaadrudpmHVXhtl3BXXX: hostname 'www.domain.org' doesn't match 'domain.org'
2016-02-22 03:22:43,064:ERROR:letsencrypt_s3front.authenticator:Self-verify of challenge failed, authorization abandoned!

Any idea how I could use the script to get them both signed?

Thanks in advance

My s3 bucket is created in ap-northeast-1, and I have to modify the code in authenticator.py to pass addition parameters to boto3.resource to make it work:

s3 = boto3.resource('s3', region_name='ap-northeast-1')

when installing letsencrypt-s3front with pip...do I need to be in the /letsencrypt/plugins directory? How does LE find the plugin?

Also, will letsencrypt-s3front work when using letsencrypt-auto, or must LE be fully installed using a package manager in order to use this plugin?

Here's why I ask: https://letsencrypt.readthedocs.org/en/latest/using.html#comparison-of-different-methods

Please help. I am on Debian, and after pip install letsencrypt-s3front I get this

Can't roll back cryptography; was not uninstalled
Cleaning up...
Command /usr/bin/python -c "import setuptools, tokenize;__file__='/tmp/pip-build-I02WKt/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-NEr5oh-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /tmp/pip-build-I02WKt/cryptography
Storing debug log for failure in /root/.pip/pip.log

Hey (this is my first posted issue on github and im not sure whether to post it here or not),

i've used this plugin to create a multidomain cert request, looking like this :
AWS_ACCESS_KEY_ID="myaccesskey" AWS_SECRET_ACCESS_KEY="mysecretkey" letsencrypt --agree-tos -a letsencrypt-s3front:auth --letsencrypt-s3front:auth-s3-bucket my.s3bucket.com --letsencrypt-s3front:auth-s3-region eu-west-1 -i letsencrypt-s3front:installer --letsencrypt-s3front:installer-cf-distribution-id mycfdistribution -d ms0.example.com -d ms1.example.com -d ms2.example.com -d ms3.example.com -d ms4.example.com -d ms5.example.com -d ms6.example.com -d ms7.example.com -d ms8.example.com -d ms9.example.com (im using real values, just removed the credentials and domain info)

I had to give an e-mail adress for the lost key recovery and information mails, which was also okay, then the request was in process and i got the message that an error occured, so i took a look into the /var/log/letsencrypt/letsencrypt.log
`2016-05-26 11:27:22,292:DEBUG:botocore.parsers:Response body:

SenderIllegalUpdateOnly one viewer certificate change may be in progress at a time.cfa99dee-2334-11e6-b3be-f141091894dc
2016-05-26 11:27:22,292:DEBUG:botocore.hooks:Event needs-retry.cloudfront.UpdateDistribution: calling handler <botocore.retryhandler.RetryHandler object at 0x7f728a7d0610>
2016-05-26 11:27:22,292:DEBUG:botocore.retryhandler:No retry needed.
2016-05-26 11:27:22,293:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 361, in deploy_certificate
fullchain_path=fullchain_path)
File "/usr/local/lib/python2.7/dist-packages/letsencrypt_s3front/installer.py", line 87, in deploy_cert
IfMatch=cf_cfg['ETag'])
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 258, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 548, in _make_api_call
raise ClientError(parsed_response, operation_name)
ClientError: An error occurred (IllegalUpdate) when calling the UpdateDistribution operation: Only one viewer certificate change may be in progress at a time.`

I was kinda confused because i took a peek into CloudFront Console and saw that my distribution was processing and i had the option to chose between two custom ssl certificates (le-ms0.example.com and le-ms1.example.com-new). I didn't take any action, so right now it is using 'le-ms0.example.com' and all cnames are using a valid ssl certificate. I wasn't really concerned as it was working (yeah, stupid attitude) but when i added the '--renew-by-default --text' to the call to renew the certificate, it was giving me following error :
2016-06-03 06:52:28,966:DEBUG:botocore.endpoint:Sending http request: <PreparedRequest [POST]> 2016-06-03 06:52:28,966:INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): iam.amazonaws.com 2016-06-03 06:52:29,313:DEBUG:botocore.vendored.requests.packages.urllib3.connectionpool:"POST / HTTP/1.1" 409 325 2016-06-03 06:52:29,314:DEBUG:botocore.parsers:Response headers: {'x-amzn-requestid': 'b8648e76-2957-11e6-8268-b3e3c27ca740', 'date': 'Fri, 03 Jun 2016 06:52:20 GMT', 'content-length': '325', 'content-type': 'text/xml'} 2016-06-03 06:52:29,314:DEBUG:botocore.parsers:Response body:
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/"> <Error> <Type>Sender</Type> <Code>EntityAlreadyExists</Code> <Message>The Server Certificate with name le-ms1.example.com-new already exists.</Message> </Error> <RequestId>b8648e76-2957-11e6-8268-b3e3c27ca740</RequestId> </ErrorResponse>

2016-06-03 06:52:29,314:DEBUG:botocore.hooks:Event needs-retry.iam.UploadServerCertificate: calling handler <botocore.retryhandler.RetryHandler object at 0x7f44d46db9d0> 2016-06-03 06:52:29,314:DEBUG:botocore.retryhandler:No retry needed. 2016-06-03 06:52:29,315:DEBUG:botocore.hooks:Event after-call.iam.UploadServerCertificate: calling handler <function json_decode_policies at 0x7f44d8fb98c0> 2016-06-03 06:52:29,315:DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 361, in deploy_certificate fullchain_path=fullchain_path) File "/usr/local/lib/python2.7/dist-packages/letsencrypt_s3front/installer.py", line 67, in deploy_cert CertificateChain=chain File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 258, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 548, in _make_api_call raise ClientError(parsed_response, operation_name) ClientError: An error occurred (EntityAlreadyExists) when calling the UploadServerCertificate operation: The Server Certificate with name le-ms1.example.com-new already exists.

Still, the cloudfront distribution was starting to process but the date the certificate expires didn't change.

As is this issue wasn't that time critical (still around 85 days left with a valid, working certificate), i decided to wait some days and when i checked the certificate today, there were 7 days added to the certificate expiry date.
Im kinda confused as i wanted to chain the renew call with a deadmanssnitch call but with an error in the renew call, the cronjob is not firing the call to deadmanssnitch.

What am i missing?
Your help is greatly appreciated.

best regards,
René

I have setup certbot-s3front and everything on AWS side as per instructions. While executing command from the "How to use it" section (using my own credentials, etc)

certbot --agree-tos -a certbot-s3front:auth \
--certbot-s3front:auth-s3-bucket tuononen.eu \
--certbot-s3front:auth-s3-region eu-west-1 \
-i certbot-s3front:installer \
--certbot-s3front:installer-cf-distribution-id <<REMOVED>>  \
-d tuononen.eu

I receive the following error:

Found credentials in environment variables.
Starting new HTTPS connection (1): iam.Ireland.amazonaws.com
Starting new HTTPS connection (2): iam.Ireland.amazonaws.com
Starting new HTTPS connection (3): iam.Ireland.amazonaws.com
Starting new HTTPS connection (4): iam.Ireland.amazonaws.com
Starting new HTTPS connection (5): iam.Ireland.amazonaws.com
An unexpected error occurred:
EndpointConnectionError: Could not connect to the endpoint URL: "https://iam.Ireland.amazonaws.com/"
Please see the logfiles in /var/log/letsencrypt for more details.

From /var/log/letsencrypt/letsencrypt.log

2017-03-05 12:33:43,233:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 389, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/local/lib/python2.7/dist-packages/certbot_s3front/installer.py", line 67, in deploy_cert
    CertificateChain=chain
  File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 530, in _make_api_call
    operation_model, request_dict)
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 141, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 170, in _send_request
    success_response, exception):
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 249, in _needs_retry
    caught_exception=caught_exception, request_dict=request_dict)
  File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 210, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 183, in __call__
    if self._checker(attempts, response, caught_exception):
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 251, in __call__
    caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 277, in _should_retry
    return self._checker(attempt_number, response, caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 317, in __call__
    caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 223, in __call__
    attempt_number, caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 359, in _check_caught_exception
    raise caught_exception
EndpointConnectionError: Could not connect to the endpoint URL: "https://iam.Ireland.amazonaws.com/"

2017-03-05 12:33:43,233:DEBUG:certbot.error_handler:Calling registered functions
2017-03-05 12:33:43,233:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2017-03-05 12:33:43,234:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 896, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 613, in run
    _install_cert(config, le_client, domains, new_lineage)
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 478, in _install_cert
    path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 389, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/local/lib/python2.7/dist-packages/certbot_s3front/installer.py", line 67, in deploy_cert
    CertificateChain=chain
  File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 530, in _make_api_call
    operation_model, request_dict)
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 141, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 170, in _send_request
    success_response, exception):
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 249, in _needs_retry
    caught_exception=caught_exception, request_dict=request_dict)
  File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 210, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 183, in __call__
    if self._checker(attempts, response, caught_exception):
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 251, in __call__
    caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 277, in _should_retry
    return self._checker(attempt_number, response, caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 317, in __call__
    caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 223, in __call__
    attempt_number, caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 359, in _check_caught_exception
    raise caught_exception
EndpointConnectionError: Could not connect to the endpoint URL: "https://iam.Ireland.amazonaws.com/"

As far as I have understood, endpoint for the IAM should be always https://iam.amazonaws.com (See http://docs.aws.amazon.com/general/latest/gr/rande.html#iam_region).

What am I doing wrong? How to resolve this situation?

CloudFront (regrettably) only supports 2048 bit keys, per this, but letsencrypt-s3front happily lets me upload (to IAM) a 4096 bit certificate.

It would be great if it could raise an error message when it is run against a key over 2048 bit and stop, rather than trying to update the distribution and failing.

Hello,

Let's say I have a single LE cert with multiple domains (specified with multiple -d) and would like to apply the same cert to multiple CloudFront Distributions (because they each serve from different S3 buckets).

What is the most efficient way to do it?

Run the command in a loop with the same command line arguments, except for the different cf-distribution-id?

I like to keep my Viewer Protocol Policy as Redirect HTTP to HTTPS, but if that's the setting while running certbot, validation fails. It would be nice if I could have certbot set the Viewer Protocol Policy to HTTP and HTTPS, and back to Redirect HTTP to HTTPS after validation.

Hello, I created a cert for a cloudfront distribution, when uploading it gave me error installing it due to an AWS restriction.

Now, the certificate exists, and when I run the command again, it ask me either to install it again (option 1) or renew it (option 2).

How do I tell it to install it again without prompts?

Trying to use this for a domain where it is needed to have a www.example.com and example.com. When trying to use the original command, only one of the domains is added and the second domain fails.

Is it possible to get both domains incorperated and uploaded to be used in cloudfront?

Here is the command I tried:

AWS_ACCESS_KEY_ID="" AWS_SECRET_ACCESS_KEY="" certbot --agree-tos -a certbot-s3front:auth --certbot-s3front:auth-s3-bucket example.com --certbot-s3front:auth-s3-region us-west-1 -i certbot-s3front:installer --certbot-s3front:installer-cf-distribution-id <ID> --config-dir ./config --work-dir ./work --logs-dir ./logs -d www.example.com -d example.com

When I add the www.example.com, it fails. If I just run this with example.com, it works. It logs the following:

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Found credentials in environment variables.
Calling s3:put_object with {'Body': u'<id>', u'Bucket': 'example.com', 'Key': u'.well-known/acme-challenge/<id>', 'ACL': 'public-read'}
Starting new HTTPS connection (1): s3-us-west-1.amazonaws.com
Starting new HTTP connection (1): example.com
Starting new HTTPS connection (1): example.com
Calling s3:put_object with {'Body': u'<id>', u'Bucket': 'example.com', 'Key': u'.well-known/acme-challenge/<id>', 'ACL': 'public-read'}
Starting new HTTPS connection (1): s3-us-west-1.amazonaws.com
Starting new HTTP connection (1): www.example.com
Starting new HTTPS connection (1): www.example.com
Unable to reach http://www.example.com/.well-known/acme-challenge/<id>: hostname 'www.example.com' doesn't match 'example.com'
Self-verify of challenge failed, authorization abandoned!
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): s3-us-west-1.amazonaws.com
Incomplete authorizations

Note that I added www.example.com AFTER initially setting up the cert with example.com.

Hi, trying to install using pip I get an error due to an unsatisfied dependency on acme>=0.1.2:

alastair@vm-debian ~ » pip install --user letsencrypt-s3front
Downloading/unpacking letsencrypt-s3front
  Downloading letsencrypt-s3front-0.1.2.tar.gz
  Running setup.py (path:/tmp/pip-build-T2gXST/letsencrypt-s3front/setup.py) egg_info for package letsencrypt-s3front

    warning: no files found matching '*' under directory 'docs'
    warning: no files found matching '*' under directory 'letsencrypt_cloudfront/tests/testdata'
Downloading/unpacking acme>=0.1.2 (from letsencrypt-s3front)
  Could not find a version that satisfies the requirement acme>=0.1.2 (from letsencrypt-s3front) (from versions: 0.0.0.dev20151006, 0.0.0.dev20151008, 0.0.0.dev20151017, 0.0.0.dev20151020, 0.0.0.dev20151021, 0.0.0.dev20151024, 0.0.0.dev20151030, 0.0.0.dev20151104, 0.0.0.dev20151107, 0.0.0.dev20151108, 0.0.0.dev20151114, 0.0.0.dev20151123, 0.0.0.dev20151201, 0.1.0, 0.1.1, 0.0.0.dev20151006, 0.0.0.dev20151008, 0.0.0.dev20151017, 0.0.0.dev20151020, 0.0.0.dev20151021, 0.0.0.dev20151024, 0.0.0.dev20151030, 0.0.0.dev20151104, 0.0.0.dev20151107, 0.0.0.dev20151108, 0.0.0.dev20151114, 0.0.0.dev20151123, 0.0.0.dev20151201, 0.1.0, 0.1.1)
Cleaning up...
No distributions matching the version for acme>=0.1.2 (from letsencrypt-s3front)
Storing debug log for failure in /home/alastair/.pip/pip.log

From what I can tell, 0.1.1 is the most recent version of acme, but I could be missing something obvious...

On a related note, is it valid to use the --user option as I have done here?

I believe this is a certbot issue, but noting here to help people find the solution.

certbot/certbot#3380

The following script has worked fine for months, but now I get the error in the title when trying to renew my certificate.

#!/bin/sh

# run with sudo bash -c certbot-aws.sh

export AWS_ACCESS_KEY_ID="MY_KEY"
export AWS_SECRET_ACCESS_KEY="MY_KEY"

certbot --agree-tos -a certbot-s3front:auth \
--certbot-s3front:auth-s3-bucket eang.it \
--certbot-s3front:auth-s3-region eu-central-1 \
-i certbot-s3front:installer \
--certbot-s3front:installer-cf-distribution-id MY_ID \
-d eang.it

The extended error is:

$ sudo bash -c certbot-aws.sh
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --certbot-s3front:auth-s3-bucket eang.it --certbot-s3front:auth-s3-region eu-central-1 --certbot-s3front:installer-cf-distribution-id MY_ID

Any idea what am I doing wrong?

certbot-s3front version is 0.3.1
certbot version is 0.15

I am getting the following error when attempting to run (after previously uploading a cert):

root@21cd5fad0b71:/# letsencrypt --text --agree-tos -a letsencrypt-s3front:auth --letsencrypt-s3front:auth-s3-bucket $S3_BUCKET -i letsencrypt-s3front:installer --letsencrypt-s3front:installer-cf-distribution-id $CLOUDFRONT_DISTRIBUTION_ID -c /etc/letsencrypt/cli.ini
An unexpected error occurred:
ClientError: An error occurred (EntityAlreadyExists) when calling the UploadServerCertificate operation: The Server Certificate with name le-www.example.com-new already exists.
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.example.com/fullchain.pem.
   Your cert will expire on 2016-04-01. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

Am I supposed to manually remove the old cert before running this again?

On Mac OS I was required to install the dialog utility for it to work. It could be useful to add it to the README:

brew install dialog

I'm at the point of renewal and I noticed the Cronjob I'd setup had failed.

The output shows a NoCredentialsError. This is the command I'm running under root:

/bin/bash /home/forge/bin/cf-letsencrypt.sh

When I tried it without /bin/bash it failed to find the source, adding that fixed that issue but I'm seeing the credentials error instead. I've tried explicitly stating the credentials as shown in previous examples and also setting the credentials up using aws configure.

If I run the .sh script directly from putty then it works (with or without explicitly stating the credentials) without any issues, any ideas?

As the certificate itself is generating okay, I'm probably using up my allotment doing these tests.

I've included the full error output below in-case it helps

2016-02-01 15:25:04,152:ERROR:letsencrypt.error_handler:Encountered exception during recovery
2016-02-01 15:25:04,152:ERROR:letsencrypt.error_handler:Unable to locate credentials
Traceback (most recent call last):
  File "build/bdist.linux-x86_64/egg/letsencrypt/error_handler.py", line 74, in call_registered
    self.funcs[-1]()
  File "build/bdist.linux-x86_64/egg/letsencrypt/auth_handler.py", line 280, in _cleanup_challenges
    self.dv_auth.cleanup(dv_c)
  File "build/bdist.linux-x86_64/egg/letsencrypt_s3front/authenticator.py", line 78, in cleanup
    client.delete_object(Bucket=self.conf('s3-bucket'), Key=achall.chall.path[1:])
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/client.py", line 310, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/client.py", line 396, in _make_api_call
    operation_model, request_dict)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/endpoint.py", line 111, in make_request
    return self._send_request(request_dict, operation_model)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/endpoint.py", line 136, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/endpoint.py", line 120, in create_request
    operation_name=operation_model.name)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/hooks.py", line 226, in emit
    return self._emit(event_name, kwargs)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/hooks.py", line 209, in _emit
    response = handler(**kwargs)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/signers.py", line 84, in handler
    return self.sign(operation_name, request)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/signers.py", line 119, in sign
    signer.add_auth(request=request)
  File "/home/forge/.local/share/letsencrypt/local/lib/python2.7/site-packages/botocore-1.3.18-py2.7.egg/botocore/auth.py", line 621, in add_auth
    raise NoCredentialsError
NoCredentialsError: Unable to locate credentials
An unexpected error occurred:
NoCredentialsError: Unable to locate credentials

I am getting the following when attempting to run:

root@97ff5ba02845:/# letsencrypt --text --agree-tos -a letsencrypt-s3front:auth \
> --letsencrypt-s3front:auth-s3-bucket $S3_BUCKET \
> -i letsencrypt-s3front:installer \
> --letsencrypt-s3front:installer-cf-distribution-id $CLOUDFRONT_DISTRIBUTION_ID \
> -c /etc/letsencrypt/cli.ini
An unexpected error occurred:
VersionConflict: (letsencrypt 0.1.1 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('letsencrypt>=0.1.2'))
Please see the logfile 'letsencrypt.log' for more details.

Here is the contents of the letsencrypt.log:

Traceback (most recent call last):
  File "/usr/local/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1349, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/local/lib/python2.7/dist-packages/letsencrypt/plugins/disco.py", line 168, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/usr/local/lib/python2.7/dist-packages/letsencrypt/plugins/disco.py", line 31, in __init__
    self.plugin_cls = entry_point.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2379, in load
    self.require(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2396, in require
    items = working_set.resolve(reqs, env, installer)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 854, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
VersionConflict: (letsencrypt 0.1.1 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('letsencrypt>=0.1.2'))

It looks like this commit is the cause: 3d75b4e

Letsencrypt hasn't released a 0.1.2 version yet.

Is it possible to run something like

AWS_ACCESS_KEY_ID="your_key"
AWS_SECRET_ACCESS_KEY="your_secret"
letsencrypt --agree-tos -a letsencrypt-s3front:auth
--letsencrypt-s3front:auth-s3-bucket the_bucket
-d the_domain

to run just the authenticator part and not the installer?

I can then use an http redirect from my web server to the auth file in s3. This is useful for our situation where we have hundreds of domains behind one ELB, so we can avoid creating symlinks to --webroot directory

@Spittal and I are looking to use this but have you thought of a good way to handle the fact these need to renew every 90 days?

Can this tool be setup on a Cron to automatically connect to the server and re-do the cert, and re-attach it to the Cloudfront install?

Thanks!

$ cat run_certbot.sh
#!/bin/bash

AWS_ACCESS_KEY_ID="<<REMOVED>>"
AWS_SECRET_ACCESS_KEY="<<REMOVED>>"
certbot --agree-tos -a certbot-s3front:auth
--certbot-s3front:auth-s3-bucket <<REMOVED>>
--certbot-s3front:auth-s3-region us-east-1
--certbot-s3front:auth-s3-directory ""
-i certbot-s3front:installer
--certbot-s3front:installer-cf-distribution-id <<REMOVED>>
-d <<REMOVED>> -d <<REMOVED>>

$ sudo ./run_certbot.sh
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator certbot-s3front:auth, Installer certbot-s3front:installer
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <<REMOVED>>
http-01 challenge for <<REMOVED>>
Found credentials in environment variables.
Starting new HTTPS connection (1): s3.amazonaws.com
Self-verify of challenge failed, authorization abandoned!
Starting new HTTPS connection (1): s3.amazonaws.com
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): s3.amazonaws.com
Incomplete authorizations

where can i run below command?

AWS_ACCESS_KEY_ID="REPLACE_WITH_YOUR_KEY"
AWS_SECRET_ACCESS_KEY="REPLACE_WITH_YOUR_SECRET"
certbot --agree-tos -a certbot-s3front:auth
--certbot-s3front:auth-s3-bucket REPLACE_WITH_YOUR_BUCKET_NAME
[ --certbot-s3front:auth-s3-region your-bucket-region-name ] #(the default is us-east-1, unless you want to set it to something else, you can delete this line)
[ --certbot-s3front:auth-s3-directory your-bucket-directory ] # (default is "")
-i certbot-s3front:installer
--certbot-s3front:installer-cf-distribution-id REPLACE_WITH_YOUR_CF_DISTRIBUTION_ID
-d REPLACE_WITH_YOUR_DOMAIN

terminal or which file?

Initially, I was getting this error during cert installation to CloudFront:

An unexpected error occurred:
ClientError: An error occurred (InvalidViewerCertificate) when calling the UpdateDistribution operation: Your IAMCertificateId does not match the given Certificate field.

I thought this might be due to there already existing a certificate for the distribution, so I removed that.

But now I'm getting:

An unexpected error occurred:
ClientError: An error occurred (InvalidViewerCertificate) when calling the UpdateDistribution operation: Cannot specify IAMCertificateId and a CertificateSource not equal to "iam".

Ideas?

Hello ! I have a problem installing certbot-s3front. I'm running on VoidLinux with LibreSSL 2.5.4. Here is the result of pip install certbot-s3front

building '_openssl' extension
    creating build/temp.linux-x86_64-2.7/build
    creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
    x86_64-unknown-linux-gnu-gcc -pthread -fno-strict-aliasing -fstack-protector-strong -D_FORTIFY_SOURCE=2 -mtune=generic -O2 -pipe -g -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    In file included from /usr/include/openssl/x509.h:595:0,
                     from /usr/include/openssl/engine.h:96,
                     from build/temp.linux-x86_64-2.7/_openssl.c:516:
    build/temp.linux-x86_64-2.7/_openssl.c:3482:19: error: expected identifier or '(' before numeric constant
     static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
                       ^
    build/temp.linux-x86_64-2.7/_openssl.c:3483:19: error: expected identifier or '(' before numeric constant
     static const long X509_V_ERR_EMAIL_MISMATCH = 0;
                       ^
    build/temp.linux-x86_64-2.7/_openssl.c:3484:19: error: expected identifier or '(' before numeric constant
     static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
                       ^
    error: command 'x86_64-unknown-linux-gnu-gcc' failed with exit status 1

Hi,

Trying to create certificate in Frankfurt end up with this error:

hostname 'example.com' doesn't match either of 'cloudfront.net', '*.cloudfront.net'

In US region work's fine.

This plugin worked the first time I tried it, but every time after that I get the following error:

EntityAlreadyExistsException: An error occurred (EntityAlreadyExists) when calling the UploadServerCertificate operation. The Server Certificate with name xxxxxx already exists.

Should the plugin be able to replace the certificate automatically? Or is it expected that we manually delete old certificates?