Last year I set up jessebuchanan.ca with an SSL certificate on Amazon S3 / CloudFront.
Now, it's time to renew the certificate.
The first time was fraught with peril, but I eventually got it working.
This time I will document the steps to renew the cert. Most steps for a new installation would be omitted.
https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/
openssl req \
-nodes \
-sha256 \
-newkey rsa:2048 \
-keyout jessebuchanan.ca.private-key \
-out jessebuchanan.ca.csr \
-subj '/C=CA/ST=Ontario/L=Toronto/O=Jesse Buchanan/CN=jessebuchanan.ca'
WARNING: If using multi-domain certs (e.g. SAN) you may need to do it at CSR time. Currently, StartSSL (and many others) ignore SAN fields in the CSR, and auto-generates them at signing time. For StartSSL, it will make www.jessebuchanan.ca
the CN and use the bare name jessebuchanan.ca
as the sole SAN. More than one SAN is not available on the StartSSL free tier.
Send it to the CA (e.g. StartSSL). Wait.
From the CA, download the signed leaf certificate (*.cer) and any intermediate certificates needed for chaining (for StartSSL this is sub.class1.server.ca.pem
)
Install the AWS tools:
brew update
brew install aws-cfn-tools awscli
Configure the AWS tools to use the IAM role for the website in question:
aws configure
# (now, enter your Access Key ID and Secret Access Key)
Upload the certificate. Make sure you're in the right directory (aws-cli uses arcane file://
paths).
aws --debug iam upload-server-certificate \
--path /cloudfront/jessebuchanan.ca/ \
--server-certificate-name jessebuchanan_ca_201505 \
--certificate-body file://www.jessebuchanan.ca.cer \
--private-key file://jessebuchanan.ca.private-key \
--certificate-chain file://sub.class1.server.ca.pem
The cloudfront
path is important. It will let you upload "anywhere" but Cloudfront can only see it if it's there.
Here is the response:
{
"ServerCertificateMetadata": {
"ServerCertificateId": "ASCAJNS6IQ43WQW4GUNUO",
"ServerCertificateName": "jessebuchanan_ca_201505",
"Expiration": "2016-05-05T12:04:16Z",
"Path": "/cloudfront/jessebuchanan.ca/",
"Arn": "arn:aws:iam::474896336961:server-certificate/cloudfront/jessebuchanan.ca/jessebuchanan_ca_201505",
"UploadDate": "2015-05-05T20:06:41.335Z"
}
}
Sign into the AWS CloudFront console:
https://console.aws.amazon.com/cloudfront/home?region=us-east-1#
Pick the appropriate distribution. On the General tab, click Edit.
Under SSL Certificate, there is a dropdown under Custom SSL Certificate (stored in AWS IAM).
There, you can choose the newly uploaded certificate (jessebuchanan_ca_201505
).
Click Yes, Edit.
The status of your distribution will change to In Progress. Wait a while.
Then you're done!