ubergeek42 / lambda-letsencrypt Goto Github PK
View Code? Open in Web Editor NEWFree Lets-Encrypt certificate management for CloudFront/AWS
License: MIT License
Free Lets-Encrypt certificate management for CloudFront/AWS
License: MIT License
After hours of working on this, it still doesn't work.
I waited a day to re-run this, I tried the current version and #14 but... nothing ๐
START RequestId: 6bdb9b5e-3479-11e6-bbdd-c70a802 Version: $LATEST
[INFO] 2016-06-17T10:51:19.861Z 6bdb9b5e-3479-11e6-bbdd-c70a802 No certificate exists for E000000000000
[INFO] 2016-06-17T10:51:20.372Z 6bdb9b5e-3479-11e6-bbdd-c70a802 User key exists, loading...
[DEBUG] 2016-06-17T10:51:22.44Z 6bdb9b5e-3479-11e6-bbdd-c70a802 {"url": "https://acme-v01.api.letsencrypt.org/acme/authz/wVIO3Ja8p1H5FvZOgvkGXjsh9eI", "domain": "----.-----.com"}
[INFO] 2016-06-17T10:51:22.44Z 6bdb9b5e-3479-11e6-bbdd-c70a802 Waiting for challenge to be confirmed for '----.-----.com'
[INFO] 2016-06-17T10:51:22.44Z 6bdb9b5e-3479-11e6-bbdd-c70a802 Can't get cert for CloudFront Distribution 'E000000000000', still waiting on domain authorizations
END RequestId: 6bdb9b5e-3479-11e6-bbdd-c70a802
REPORT RequestId: 6bdb9b5e-3479-11e6-bbdd-c70a802 Duration: 2628.63 ms Billed Duration: 2700 ms Memory Size: 128 MB Max Memory Used: 46 MB
Since this is supported in staging now.
https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322/21
As the wizard wraps up I get this:
botocore.exceptions.ClientError: An error occurred (IllegalLocationConstraintException) when calling the CreateBucket operation: The unspecified location constraint is incompatible for the region specific endpoint this request was sent to.
This is with region eu-central-1
. I already have a CF distribution that is likely causing the exception, but perhaps it could be handled more gracefully.
It happens if the files aren't world-readable when you create the zip file in the wizard, the wizard should probably chmod them properly, or just modify their permissions in the zip.
Takes a couple iterations to actually issue the cert.
Make the wizard run the function, check the logs, and do it again 10-30 seconds later to actually issue the certificate. This would greatly improve user experience.
Update to the CloudFront Origins is missing a CustomHeader that will cause issues. The key is required, but no data needs to be filled in. You can add the following line to 475 to make it work properly:
'CustomHeaders': {u'Quantity': 0}
References: https://github.com/ubergeek42/lambda-letsencrypt/blob/master/lambda_function.py#L469-L474
This would probably be useful for elastic load balancers when people are not using route53. It would allow validation of the domain.
Thought thinking about it, it would break the user's website when/if re-validation was necessary.
I think I'll leave this open but low priority until people comment and want it.
Maybe add support for managing certificates on ELBs as well. This would probably only support DNS validation and not http.
When uploading certificates to use for CloudFront, they must be pre-pended with "/cloudfront/" in order for them to become usable by the distribution. If this is not done, they will get uploaded via IAM, but will not show up.
Replacing:
Path="/letsencrypt_lambda/",
With
Path="/cloudfront/letsencrypt_lambda/",
Reference: https://github.com/ubergeek42/lambda-letsencrypt/blob/master/lambda_function.py#L203
I finally got this to work, at least somewhat. Thanks for this code, I'm working thru it to try and get it working for me.
I run into this:
89 days remaining on cert, nothing to do for cfd-......
in lambda, which is good I think
But I get a certificate when I visit my domain of something like this:
Fake LE Intermediate X1
I'm trying to google it, but having trouble putting it in context of what I've done from this repo.
If anyone has a nudge in the right direction, I'm grateful. Thanks.
I tried to give it a go on a S3 static website.
Running the Wizard, it fails at Configuring Lambda Function
Uploading Function An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.
The steps before seem to be ok:
Making Requested Changes
Creating SNS Topic for Notifications โ
Role doesn't exist, attempting to create
Creating Role 'lambda-letsencrypt-test-role'
Role Created
Role policy doesn't exist, attempting to create
Writing Configuration File โ
Creating Zip File To Upload To Lambda
Adding 'lambda_function.py'
Adding 'simple_acme.py'
Adding 'config.py'
Zip File Created Successfully`
Any idea what could be wrong here?
Each domain you want to manage can be configured to validate using either of
these methods.
Do you want to configure HTTP validation[Y/n]? Y
Do you want to create a bucket for these challenges(Choose No to select an existing bucket)[Y/n]? Y
CloudFront Configuration
Traceback (most recent call last):
File "wizard.py", line 546, in
wizard(global_config)
File "wizard.py", line 519, in wizard
wizard_cf(global_config)
File "wizard.py", line 188, in wizard_cf
cf_dist_list = cloudfront.list_distributions()
File "/root/lambda-letsencrypt/installer/cloudfront.py", line 9, in list_distributions
for dist in dl['DistributionList']['Items']:
KeyError: 'Items'
Let the wizard help users configure a CloudFront distribution that serves their S3 static site. Should make it much simpler for people to get started with if that's all they use.
Or just read the config file from s3, the delay won't cost too much and then we don't need the extra dependency.
This would also allow us to distribute a pre-packaged zip file to upload into lambda. Not sure how we could discover the bucket name though...maybe based on the account identifier? Or list all buckets and require the config bucket to have a certain prefix?
Can an iam user view what permissions they have? If so we could automatically detect the bucket name based on that.
Search cloudfront distributions for ones that have the domain as a cname rather than making them enter or select the distribution id.
This would mostly be targeted at helping users that are doing a manual configuration. The wizard folks will have this filled in automatically.
Found a template where the event rule is configured via CloudFormation, I'm just thinking we could use that to deploy the rule to eliminate all manual things.
See an example template, where the events rules are used http://docs.aws.amazon.com/solutions/latest/ec2-scheduler/deployment.html
It works and makes sense, but I think there is room for some improvement. Mostly with regards to the walls of text.
Why would people want to use this over the new AWS Certificate Manager(ACM)?
Advantages:
Disadvantages:
Common Features:
Edit this issue as new points are made.
Either make a nice readthedocs setup or make a github pages site for the documentation. The goal is to make this dead simple, and we want the docs to reflect that.
Alarms if the function doesn't execute once a day.
Alarms if it errors.
I never used letsencrypt before and was hoping to let this take care of itself with the creation and updating of the certificate, but when trying to run the generated lambda function, I get this error:
START RequestId: f31cb3e2-339f-11e6-a2f7-139f7c45a328 Version: $LATEST
[INFO] 2016-06-16T08:54:36.788Z f31cb3e2-339f-11e6-a2f7-139f7c45a328 No certificate exists for E2EDQ498I94TP2
[INFO] 2016-06-16T08:54:37.350Z f31cb3e2-339f-11e6-a2f7-139f7c45a328 Creating user and key
HTTP Error 404: Not Found: HTTPError
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 570, in lambda_handler
user = get_user()
File "/var/task/lambda_function.py", line 80, in get_user
user.register(cfg.EMAIL)
File "/var/task/simple_acme.py", line 175, in register
"mailto:{}".format(email)
File "/var/task/simple_acme.py", line 46, in _send_signed_request
LE_NONCE = urlopen(cfg.DIRECTORY_URL + "/directory").headers['Replay-Nonce']
File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python2.7/urllib2.py", line 437, in open
response = meth(req, response)
File "/usr/lib64/python2.7/urllib2.py", line 550, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib64/python2.7/urllib2.py", line 475, in error
return self._call_chain(*args)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 558, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 404: Not Found
END RequestId: f31cb3e2-339f-11e6-a2f7-139f7c45a328
REPORT RequestId: f31cb3e2-339f-11e6-a2f7-139f7c45a328 Duration: 3819.12 ms Billed Duration: 3900 ms Memory Size: 128 MB Max Memory Used: 72 MB
This is my configuration:
**Summary**
Notification Email: -------@------
S3 Config Bucket: ---.----.com (existing)
IAM Role Name: lambda-letsencrypt (to be created)
Support HTTP Challenges: True
S3 HTTP Challenge Bucket: ---.----.com (existing)
Domains To Manage With Lets-Encrypt
---.----.com - []
CloudFront Distributions To Manage:
E0000000000000 - [---.----.com]
Elastic Load Balancers to Manage:
> Are these settings correct[Y/n]? y
Making Requested Changes
Creating SNS Topic for Notifications โ
Role doesn't exist, attempting to create
Creating Role 'lambda-letsencrypt-test-role'
Role Created
Role policy doesn't exist, attempting to create
Writing Configuration File โ
Creating Zip File To Upload To Lambda
Adding 'lambda_function.py'
Adding 'simple_acme.py'
Adding 'config.py'
Zip File Created Successfully
Configuring Lambda Function:
IAM ARN: arn:aws:iam::000000000000:role/lambda-letsencrypt/lambda-letsencrypt-test-role
Uploading Function โ
Also I didn't find any new files in my S3 bucket. From what I understand I should find a letsencrypt
file and a domain.example.com
file.
My domain has been authorized, but I am noticing a permission error when trying to create the CSR. This does not appear to be related to the S3 bucket policy. Is there some place I need to adjust?
[INFO] 2016-06-28T21:55:03.355Z f65419f0-3d7a-11e6-9eff-81dfcc33a282 Generate CSR and get cert for CloudFront Distribution MY_CLOUDFRONT_ID
[WARNING] 2016-06-28T21:55:06.95Z f65419f0-3d7a-11e6-9eff-81dfcc33a282 [Errno 13] Permission denied: 'csr_test.der'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.