Comments (12)
The certs themselves are fine, as I'm able to just grab them after the failure and successfully upload them with $ aws iam upload-server-certificate
from the shell.
from certbot-s3front.
I also tried patching this call to also set:
cf_cfg['DistributionConfig']['ViewerCertificate']['CertificateSource'] = 'iam'
but no cigar; that took me back to the original error I was getting.
from certbot-s3front.
From the logs, this is what we GET for the distribution config:
<ViewerCertificate>
<CertificateSource>cloudfront</CertificateSource>
<MinimumProtocolVersion>SSLv3</MinimumProtocolVersion>
<CloudFrontDefaultCertificate>true</CloudFrontDefaultCertificate>
</ViewerCertificate>
And this is what we POST back:
<ViewerCertificate>
<MinimumProtocolVersion>SSLv3</MinimumProtocolVersion>
<IAMCertificateId>REDACTED</IAMCertificateId>
<CertificateSource>iam</CertificateSource>
</ViewerCertificate>
The value for <IAMCertificateId>
is definitely the same as in the response to uploading the cert (from the <ServerCertificateId>
field). So from the error "Your IAMCertificateId does not match the given Certificate field", I really have no idea what "Certificate field" refers to; even http://docs.aws.amazon.com/AmazonCloudFront/latest/APIReference/PutConfig.html only lists the <ViewerCertificate>
stuff above.
Any pointers appreciated.
from certbot-s3front.
I am experiencing this as well
from certbot-s3front.
I was able to use the web console to set the certificate and everything worked
from certbot-s3front.
I was able to get it working after appending the following:
cf_cfg['DistributionConfig']['ViewerCertificate']['Certificate'] = cert_id
cf_cfg['DistributionConfig']['ViewerCertificate']['CertificateSource'] = 'iam'
cf_cfg['DistributionConfig']['ViewerCertificate']['SSLSupportMethod'] = 'sni-only'
cf_cfg['DistributionConfig']['ViewerCertificate']['MinimumProtocolVersion'] = 'TLSv1'
from certbot-s3front.
Well done! Looking forward to this landing in a release. :)
from certbot-s3front.
That should be fixed (partially) with this commit but I'm not sure if it's in a release.
from certbot-s3front.
Also, @dillona, the line cf_cfg['DistributionConfig']['ViewerCertificate']['SSLSupportMethod'] = 'sni-only'
should be configurable since some CF distributions may be paying for the dedicated IP to support non-SNI clients.
from certbot-s3front.
@ryansb In my PR #13 I only set sni-only as a default if nothing else is already set.
So if you are already paying for the dedicated IPs, nothing will be changed
from certbot-s3front.
@dillona Oh, that does handle it. Thanks for pointing that out.
from certbot-s3front.
That PR was merged so you should be all good to go now. Thanks everyone!
from certbot-s3front.
Related Issues (20)
- ot
- This worked like a dream! Thank you. =) HOT 1
- Issue installing with certbot 0.23.0 HOT 1
- NoCredentialsError HOT 3
- Max retries exceeded with url HOT 3
- Can generate initial certificate, but silently fails to renew HOT 6
- [0.4.0] SyntaxError with python 3.6.6 HOT 1
- KeyError: 'IAMCertificateId' on new distribution HOT 10
- Error in configuring distribution with certificate HOT 1
- Cannot run on raspbian stretch HOT 1
- Not Python3 compatible HOT 2
- AttributeError: module 'certbot.interfaces' has no attribute 'RenewDeployer' HOT 1
- Configure dns in aws route 53
- Unreliable with load balancers and API Gateways HOT 1
- issue with certificate generation HOT 1
- Support non Amazon hosts (region endpoints)
- Unable to upload/update renewed cert via s3front HOT 1
- Add support for certbot 2.x HOT 1
- Failing when trying to use the docker container
- certbot: error: unrecognized arguments: --certbot-s3front:auth-s3-bucket my-bucket HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certbot-s3front.