ubergeek42 / lambda-letsencrypt Goto Github PK

After hours of working on this, it still doesn't work.
I waited a day to re-run this, I tried the current version and #14 but... nothing 😞

START RequestId: 6bdb9b5e-3479-11e6-bbdd-c70a802 Version: $LATEST
[INFO]  2016-06-17T10:51:19.861Z    6bdb9b5e-3479-11e6-bbdd-c70a802 No certificate exists for E000000000000
[INFO]  2016-06-17T10:51:20.372Z    6bdb9b5e-3479-11e6-bbdd-c70a802 User key exists, loading...
[DEBUG] 2016-06-17T10:51:22.44Z 6bdb9b5e-3479-11e6-bbdd-c70a802 {"url": "https://acme-v01.api.letsencrypt.org/acme/authz/wVIO3Ja8p1H5FvZOgvkGXjsh9eI", "domain": "----.-----.com"}
[INFO]  2016-06-17T10:51:22.44Z 6bdb9b5e-3479-11e6-bbdd-c70a802 Waiting for challenge to be confirmed for '----.-----.com'
[INFO]  2016-06-17T10:51:22.44Z 6bdb9b5e-3479-11e6-bbdd-c70a802 Can't get cert for CloudFront Distribution 'E000000000000', still waiting on domain authorizations
END RequestId: 6bdb9b5e-3479-11e6-bbdd-c70a802
REPORT RequestId: 6bdb9b5e-3479-11e6-bbdd-c70a802   Duration: 2628.63 ms    Billed Duration: 2700 ms    Memory Size: 128 MB Max Memory Used: 46 MB  

Since this is supported in staging now.

https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322/21

As the wizard wraps up I get this:

botocore.exceptions.ClientError: An error occurred (IllegalLocationConstraintException) when calling the CreateBucket operation: The unspecified location constraint is incompatible for the region specific endpoint this request was sent to.

This is with region eu-central-1. I already have a CF distribution that is likely causing the exception, but perhaps it could be handled more gracefully.

It happens if the files aren't world-readable when you create the zip file in the wizard, the wizard should probably chmod them properly, or just modify their permissions in the zip.

Takes a couple iterations to actually issue the cert.

Make the wizard run the function, check the logs, and do it again 10-30 seconds later to actually issue the certificate. This would greatly improve user experience.

Update to the CloudFront Origins is missing a CustomHeader that will cause issues. The key is required, but no data needs to be filled in. You can add the following line to 475 to make it work properly:

'CustomHeaders': {u'Quantity': 0}

References: https://github.com/ubergeek42/lambda-letsencrypt/blob/master/lambda_function.py#L469-L474

This would probably be useful for elastic load balancers when people are not using route53. It would allow validation of the domain.

Thought thinking about it, it would break the user's website when/if re-validation was necessary.

I think I'll leave this open but low priority until people comment and want it.

Maybe add support for managing certificates on ELBs as well. This would probably only support DNS validation and not http.

When uploading certificates to use for CloudFront, they must be pre-pended with "/cloudfront/" in order for them to become usable by the distribution. If this is not done, they will get uploaded via IAM, but will not show up.

Replacing:
Path="/letsencrypt_lambda/",

With
Path="/cloudfront/letsencrypt_lambda/",

Reference: https://github.com/ubergeek42/lambda-letsencrypt/blob/master/lambda_function.py#L203

I finally got this to work, at least somewhat. Thanks for this code, I'm working thru it to try and get it working for me.

I run into this:

89 days remaining on cert, nothing to do for cfd-...... in lambda, which is good I think

But I get a certificate when I visit my domain of something like this:

Fake LE Intermediate X1

I'm trying to google it, but having trouble putting it in context of what I've done from this repo.

If anyone has a nudge in the right direction, I'm grateful. Thanks.

I tried to give it a go on a S3 static website.
Running the Wizard, it fails at Configuring Lambda Function

Uploading Function An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.

The steps before seem to be ok:

Making Requested Changes
Creating SNS Topic for Notifications ✓
Role doesn't exist, attempting to create
Creating Role 'lambda-letsencrypt-test-role'
Role Created
Role policy doesn't exist, attempting to create
Writing Configuration File ✓
Creating Zip File To Upload To Lambda
Adding 'lambda_function.py'
Adding 'simple_acme.py'
Adding 'config.py'
Zip File Created Successfully`

Any idea what could be wrong here?

Each domain you want to manage can be configured to validate using either of
these methods.

Do you want to configure HTTP validation[Y/n]? Y
Do you want to create a bucket for these challenges(Choose No to select an existing bucket)[Y/n]? Y

CloudFront Configuration
Traceback (most recent call last):
File "wizard.py", line 546, in
wizard(global_config)
File "wizard.py", line 519, in wizard
wizard_cf(global_config)
File "wizard.py", line 188, in wizard_cf
cf_dist_list = cloudfront.list_distributions()
File "/root/lambda-letsencrypt/installer/cloudfront.py", line 9, in list_distributions
for dist in dl['DistributionList']['Items']:
KeyError: 'Items'

Let the wizard help users configure a CloudFront distribution that serves their S3 static site. Should make it much simpler for people to get started with if that's all they use.

Or just read the config file from s3, the delay won't cost too much and then we don't need the extra dependency.

This would also allow us to distribute a pre-packaged zip file to upload into lambda. Not sure how we could discover the bucket name though...maybe based on the account identifier? Or list all buckets and require the config bucket to have a certain prefix?

Can an iam user view what permissions they have? If so we could automatically detect the bucket name based on that.

Search cloudfront distributions for ones that have the domain as a cname rather than making them enter or select the distribution id.

This would mostly be targeted at helping users that are doing a manual configuration. The wizard folks will have this filled in automatically.

Found a template where the event rule is configured via CloudFormation, I'm just thinking we could use that to deploy the rule to eliminate all manual things.
See an example template, where the events rules are used http://docs.aws.amazon.com/solutions/latest/ec2-scheduler/deployment.html

It works and makes sense, but I think there is room for some improvement. Mostly with regards to the walls of text.

Why would people want to use this over the new AWS Certificate Manager(ACM)?

Advantages:

• Available in all regions(ACM is only available in us-east at the moment)
• Validates domains without requiring MX records/email access
• Can configure CloudFront/ELBs with a default SSL setting without user intervention.
• LE supports 100 names per cert, ACM only 20(Less ELBs needed if serving lots of sites)

Disadvantages:

• ACM has 1yr renewals(vs LetsEncrypt's 90 day)
• Requires S3/Lambda(Additional dependencies/very minimal cost)
• Requires Route53 to validate domains for use with ELB
• ACM can be done entirely through their web console

Common Features:

• Support CloudFront/ELB
• Automatic renewal

Edit this issue as new points are made.

Either make a nice readthedocs setup or make a github pages site for the documentation. The goal is to make this dead simple, and we want the docs to reflect that.

Alarms if the function doesn't execute once a day.
Alarms if it errors.

I never used letsencrypt before and was hoping to let this take care of itself with the creation and updating of the certificate, but when trying to run the generated lambda function, I get this error:

START RequestId: f31cb3e2-339f-11e6-a2f7-139f7c45a328 Version: $LATEST
[INFO]  2016-06-16T08:54:36.788Z    f31cb3e2-339f-11e6-a2f7-139f7c45a328    No certificate exists for E2EDQ498I94TP2
[INFO]  2016-06-16T08:54:37.350Z    f31cb3e2-339f-11e6-a2f7-139f7c45a328    Creating user and key
HTTP Error 404: Not Found: HTTPError
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 570, in lambda_handler
    user = get_user()
  File "/var/task/lambda_function.py", line 80, in get_user
    user.register(cfg.EMAIL)
  File "/var/task/simple_acme.py", line 175, in register
    "mailto:{}".format(email)
  File "/var/task/simple_acme.py", line 46, in _send_signed_request
    LE_NONCE = urlopen(cfg.DIRECTORY_URL + "/directory").headers['Replay-Nonce']
  File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 437, in open
    response = meth(req, response)
  File "/usr/lib64/python2.7/urllib2.py", line 550, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib64/python2.7/urllib2.py", line 475, in error
    return self._call_chain(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 558, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 404: Not Found

END RequestId: f31cb3e2-339f-11e6-a2f7-139f7c45a328
REPORT RequestId: f31cb3e2-339f-11e6-a2f7-139f7c45a328  Duration: 3819.12 ms    Billed Duration: 3900 ms    Memory Size: 128 MB Max Memory Used: 72 MB

This is my configuration:

**Summary**
Notification Email:                              -------@------
S3 Config Bucket:                                ---.----.com (existing)
IAM Role Name:                                   lambda-letsencrypt (to be created)
Support HTTP Challenges:                         True
S3 HTTP Challenge Bucket:                        ---.----.com (existing)
Domains To Manage With Lets-Encrypt
    ---.----.com - []
CloudFront Distributions To Manage:
    E0000000000000 - [---.----.com]
Elastic Load Balancers to Manage:
> Are these settings correct[Y/n]? y

Making Requested Changes
Creating SNS Topic for Notifications ✓
Role doesn't exist, attempting to create
Creating Role 'lambda-letsencrypt-test-role'
Role Created
Role policy doesn't exist, attempting to create
Writing Configuration File ✓
Creating Zip File To Upload To Lambda
    Adding 'lambda_function.py'
    Adding 'simple_acme.py'
    Adding 'config.py'
Zip File Created Successfully
Configuring Lambda Function:
    IAM ARN: arn:aws:iam::000000000000:role/lambda-letsencrypt/lambda-letsencrypt-test-role
    Uploading Function ✓

Also I didn't find any new files in my S3 bucket. From what I understand I should find a letsencrypt file and a domain.example.com file.

My domain has been authorized, but I am noticing a permission error when trying to create the CSR. This does not appear to be related to the S3 bucket policy. Is there some place I need to adjust?

[INFO] 2016-06-28T21:55:03.355Z f65419f0-3d7a-11e6-9eff-81dfcc33a282 Generate CSR and get cert for CloudFront Distribution MY_CLOUDFRONT_ID
[WARNING] 2016-06-28T21:55:06.95Z f65419f0-3d7a-11e6-9eff-81dfcc33a282 [Errno 13] Permission denied: 'csr_test.der'