Using LetsEncrypt for certs for Cloudfront CNAMED URL

Hello, we created

AWS_ACCESS_KEY_ID=<AWS KEY> \
AWS_SECRET_ACCESS_KEY=<SECRET KEY> \
letsencrypt --agree-tos -a letsencrypt-s3front:auth \
-i letsencrypt-s3front:installer \
--letsencrypt-s3front:auth-s3-bucket baystreetclinic \
--letsencrypt-s3front:auth-s3-region ca-central-1	 \
--letsencrypt-s3front:installer-cf-distribution-id \
<cloudfrontID>  -d av.baystreetclinic.com -d av.baystreetclinic.ca 

We created a certificate for our subdomains that are CNAMEd to cloudfront. Then we went into cloudfront and enabled this certificate instead of the default Amazon ACM one.

It doesn’t work. The URL https://av.baystreetclinic.com/2018/05/12204330/RF-baystreetclinic.jpg is fine. But the URL https://av.baystreetclinic.ca/2018/05/12204330/RF-baystreetclinic.jpg gives a certificate error.

Note that for both domains the DNS has the CNAME to the same cloudfront. Anything else we need to do?

Hi,

That works fine for me.

Maybe clear your cache?

Thank you

P.S. Why don’t you use Amazon Certificates??

Yes, it works. Might have been browser cache. Oops

Question: LE certs may be just for 3 months. How can I set this to auto-renew without any additional manual step to go into Cloudfront and associate a new cert to the CDN? Can the same cert be updated via cron or something?

Thanks so much!

PS. Amazon Certificates are becoming more cumbersome. In my AWS account they seem to say “no more public certs”, although their documentation mentions 100 per account. I’ve only used 10 or so. Anyway, personally I like LE and would like to support this amazing endeavour. It’s also easy to manage over time, for us.

Just in case my question is missed in that paragraph. How do we renew these CloudFront certs? Thanks.

You can try use DNS validation…

Since CF has cache and you would need to --manual if use http validation.

Thank you

That’s why we suggest to use Amazon Certificate.

(Amazon shouldn’t limit you from issue certs, if they do, open an ticket)

ACM and CloudFront have APIs. I believe it's possible to programmatically upload a new certificate and configure a distribution to use it, but I haven't tried it, and I don't know if anyone else has written a plugin for it.

Yeah. The documentation's wrong. As far as I can tell, some accounts are limited to 10 certificates, and some may be limited to 100. I'm not sure if the limit is per-region or global. Check the ACM forum, there are posts about it.

I think you can contact AWS support to fix your account.

Otherwise, you have to keep under 11 certificates.

CloudFront can only use ACM certificates deployed to the the US East Region, so make sure to get your limit increased in that region.

Thank you. But I don’t know what that means. In the DNS validation can I automate things? That sounds like an even more manual step. If the only option here is manual, then LE is basically not an option at all.

I’ll try the ACM limit increase route. But it doesn’t fill me with promise. Their support is hideous in recent times.

The ability to automate DNS validation depends on your Let's Encrypt client and on your DNS provider. If your DNS provider offers an API that's supported by your Let's Encrypt client, then you can automate issuance and renewal. You can also use a CNAME record for _acme-challenge in your DNS zone to point at a different DNS provider (or an acme-dns instance) that does support an appropriate API.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.