SNI validation failed when deploying via Amazon Cloudfront

I’m very excited to use the service, but I seem to have run across a catch-22 for my deployment needs.

When running:

…/letsencrypt-master/letsencrypt-auto --test-cert certonly --standalone --email -d -d -d -d

I get the following error:

Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found, *’

We’re using Amazon / Cloudfront / S3 to host a static website.

Amazon seems to require that I upload a valid private key / cert before I change how they serve SSL.

Practically speaking, that means that I cannot enable SNI until I have a cert uploaded. Hence the catch 22

I’m looking for suggestions to get past this hurdle. To me, the only approaches I see (in theory … not sure if these are possible) are:

  • generate my own cert thats unsigned // see if I can get that uploaded on amazon (my current understanding makes this seem unlikely) // enable SNI // then use letsencrypt to generate a valid cert
  • configure letsencrypt to not check for SNI support? (But this seems unlikely since you don’t support wildcards)

--standalone defaults to the tls-sni-01 challenge type, which requires that the host where you’re validating your domain is the one where your TLS connection is terminated. That’s not the case with a CDN such as CloudFront.

You can use --standalone --standalone-supported-challenges http-01 to force the http-01 challenge type, which doesn’t suffer from this problem and works in environments with CDNs.

You might also want to look into the s3front plugin which makes the process even easier with your particular stack.

1 Like

Aha setting this flag:

–standalone-supported-challenges http-01

Seems to change the challenge type. Now I see this:

Type: unauthorized
Detail: Invalid response from
[]: 404

W amazon I can easily put a file there. So this method seems like it will suit my needs

Ah you beat me to it! I’ll definitely checkout that plugin. Thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.