Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can generate initial certificate, but silently fails to renew

See original GitHub issue

This has happened a number of times now — as far as I’m aware, certbot-s3front has never successfully renewed my CloudFront certificate, even though it can deploy the initial cert just fine (e.g. if I delete the renewals/xxx.conf file and re-run the initial certbot command).

If I force a renewal:

% sudo /usr/bin/chpst -e /etc/letsencrypt/env.d -- certbot --force-renewal renew --cert-name i.wisq.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/i.wisq.net.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator certbot-s3front:auth, Installer certbot-s3front:installer
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for i.wisq.net
Found credentials in environment variables.
Starting new HTTPS connection (1): s3.amazonaws.com
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): s3.amazonaws.com

-------------------------------------------------------------------------------
new certificate deployed with reload of certbot-s3front:installer server;
fullchain is /etc/letsencrypt/live/i.wisq.net/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/i.wisq.net/fullchain.pem (success)
-------------------------------------------------------------------------------```

The cert on disk is updated, but the actual cert remains unchanged in AWS:

% sudo /usr/bin/chpst -e /etc/letsencrypt/env.d -- aws iam list-server-certificates
{
    "ServerCertificateMetadataList": [
        {
            "Path": "/cloudfront/letsencrypt/",
            "Expiration": "2018-06-26T17:12:11Z",
            "ServerCertificateId": "ASCAIYHLWDV4CDQU5QFU2",
            "UploadDate": "2018-03-28T18:12:11Z",
            "Arn": "arn:aws:iam::067917669805:server-certificate/cloudfront/letsencrypt/le-i.wisq.net-1522260731",
            "ServerCertificateName": "le-i.wisq.net-1522260731"
        }
    ]
}

I’m using the sample AWS policy linked in the readme.

Anything I can do to diagnose this further?

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:6 (1 by maintainers)

Top GitHub Comments

1reaction

shadow-lightcommented, Dec 12, 2018

I also just discovered that my certs are being renewed but not deployed. So running renew reports everything as fine as the certs are not outdated, but my sites go down because the new version hasn’t been uploaded/enabled in CF.

1reaction

wisqcommented, Sep 17, 2018

Hm, getting closer. Just tried this with 0.4.1, and it does seem to upload the new certificate (judging from the timestamps). However, it does not seem to update the CloudFront distribution to use the new cert (like it does when I first install a cert).