Weird error messages, but the certificates are working about certbot-s3front HOT 7 CLOSED

@rene-pxl I believe you're running into an issue where specifying multiple domain names causes multiple certificates to be unnecessarily uploaded to IAM/CloudFront. It's unresolved at the moment, although I commented on #31 regarding the issue.

Also, for what it's worth, once you get "stuck" in this situation, you probably need to delete the "le-ms1.example.com-new" certificate manually, or else the renewals won't work. This can be done using the AWS CLI:
aws iam delete-server-certificate --server-certificate-name le-ms1.example.com-new

from certbot-s3front.

@aripringle
Thanks for your reply.
Yeah that's what i thought as well.
So far i never needed to manually delete any certificates, it still worked to renew the certificates (for all domains, not only for one or specific ones).
I will try to keep on eye on updates and fixes and in case i need to, use your CLI command.

best regards,
rené

from certbot-s3front.

@rene-pxl I think the issue is solved now but please let me know if you see it again.

from certbot-s3front.

I just ran into this issue. I wanted to create a cert that includes domain.com, www.domain.com, and cdn.domain.com. This resulted in an attempt to install the same certificate multiple times, and the error message mentioned above. (I used only the installer part of s3front and webroot for the authenticator, as I'm using CloudFront as a CDN for a WordPress site via W3 Total Cache.)

As a workaround, I generated one certificate (with multiple names) that is kept local, and another one for only cdn.domain.com that gets installed on AWS. This works, but it would be great if I only needed one certificate.

My certbot is version 0.9.3 (on Debian from jessie-backports) and s3front installed via pip seems to be 0.2.0.

from certbot-s3front.

I'm running into this issue as well, with three domains. In each case, I get an error that looks like this:

Starting new HTTPS connection (1): iam.amazonaws.com
An unexpected error occurred:
ClientError: An error occurred (EntityAlreadyExists) when calling the UploadServerCertificate operation: The Server Certificate with name le-<domain-name>-new already exists.

When I look in /var/log/letsencrypt/letsencrypt.log, I don't really get much more information than that; it shows the request sent, and the response received, which provides that same information.

I've seen some suggestions to use this:

$ aws iam delete-server-certificate --server-certificate-name le-<domain-name>-new

Which I have tried. However, the response I get back is "Certificate is currently inuse by CloudFront Distribution . Please remove it first before deleting it from IAM."

These errors have only started in the last two weeks, and I've been able to reproduce them reliably. I'm currently using certbot from thePPA, which installs 0.11.1; I've installed certbot-s3front using pip2.7 (which I discovered through trial and error is necessary, as it does not work with python3), and have 0.2.0 installed.

Any assistance would be greatly appreciated!

from certbot-s3front.

@dlapiduz
Sorry to open this again, in the same time frame @weierophinney mentioned, the whole thing stopped working for me as well.
Maybe AWS changed something on their site? Because i didn't change anything at all, in fact i did set up a Cronjob since my last post in this issue and it worked until end of february.

The creation of the certificate itself is still correct, as shown in the log
2017-04-27 11:53:11,458:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/ms0.DOMAIN.com/fullchain.pem. Your cert will expire on 2017-07-26. To obtain a new version of the certificate in the future, simply run Certbot again.

At the end of the log i get this message again
ClientError: An error occurred (EntityAlreadyExists) when calling the UploadServerCertificate operation: The Server Certificate with name le-ms0.DOMAIN.com-new already exists.

This is basically the same message i got in the initial post in this issue BUT this time its not working at all, theres no update process at my cloudfront distribution despite the error message. (I was fine with getting an error message but ending up with a working SSL configuration)

I can only repeat what @weierophinney said,

Any assistance would be greatly appreciated!

from certbot-s3front.

This still happens.

from certbot-s3front.