Cannot upload letsencrypt certificate to AWS

After going through the necessary steps to create my letsencrypt cert on a Mac OSX, I can’t seem to get the cert uploaded to AWS. I’m not certain if this is an OSX issue or a LetsEncrypt issue.

I receive this message after going through the process:

- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.example.com/fullchain.pem. Your
   cert will expire on 2016-04-06. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

Then I use the aws cli to upload the cert:

❯ aws iam upload-server-certificate \
❯❯   --server-certificate-name www.example.com \
❯❯   --certificate-body file:///etc/letsencrypt/live/www.example.com/cert.pem \
❯❯   --private-key file:///etc/letsencrypt/live/www.example.com/privkey.pem \
❯❯   --certificate-chain file:///etc/letsencrypt/live/www.example.com/chain.pem \
❯❯   --path /cloudfront/

The response is:

Error parsing parameter '--certificate-body': Unable to load paramfile file:///etc/letsencrypt/live/www.example.com/cert.pem: [Errno 13] Permission denied: '/etc/letsencrypt/live/www.example.com/cert.pem'

If I just created the file successfully, why can I not access it?

As far as I know, the Let’s Encrypt client wants to be ran as root or (I think) uses sudo when ran as a normal user. Check the permissions on /etc/letsencrypt. It’s probably root. And I’m thinking you’re running aws as a normal user?

Yep. Running aws cli as sudo fixed the problem.

I just don’t understand why none of the instructions I’ve read mention the need to do so. Why do I need to run under sudo if other folks don’t?

Most other implementations involve a local web server. These run as root at start (to bind to port 80 and gather private info like SSL keys) before dropping to lower-level permissions. As such, you don’t need to be root for those situations.