search

dlapiduz / certbot-s3front

Certbot CLI plugin for S3/CloudFront validation and installation
MIT License
584 stars 70 forks source link

How can I create a cert for example.com & www.example.com? #63

Open jamesone opened 6 years ago

jamesone commented 6 years ago

Here is the command I tried:

AWS_ACCESS_KEY_ID="" AWS_SECRET_ACCESS_KEY="" certbot --agree-tos -a certbot-s3front:auth --certbot-s3front:auth-s3-bucket example.com --certbot-s3front:auth-s3-region us-west-1 -i certbot-s3front:installer --certbot-s3front:installer-cf-distribution-id <ID> --config-dir ./config --work-dir ./work --logs-dir ./logs -d www.example.com -d example.com

When I add the www.example.com, it fails. If I just run this with example.com, it works. It logs the following:

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Found credentials in environment variables.
Calling s3:put_object with {'Body': u'<id>', u'Bucket': 'example.com', 'Key': u'.well-known/acme-challenge/<id>', 'ACL': 'public-read'}
Starting new HTTPS connection (1): s3-us-west-1.amazonaws.com
Starting new HTTP connection (1): example.com
Starting new HTTPS connection (1): example.com
Calling s3:put_object with {'Body': u'<id>', u'Bucket': 'example.com', 'Key': u'.well-known/acme-challenge/<id>', 'ACL': 'public-read'}
Starting new HTTPS connection (1): s3-us-west-1.amazonaws.com
Starting new HTTP connection (1): www.example.com
Starting new HTTPS connection (1): www.example.com
Unable to reach http://www.example.com/.well-known/acme-challenge/<id>: hostname 'www.example.com' doesn't match 'example.com'
Self-verify of challenge failed, authorization abandoned!
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): s3-us-west-1.amazonaws.com
Incomplete authorizations

Note that I added www.example.com AFTER initially setting up the cert with example.com.

PhilT commented 4 years ago

Probably a bit late but I came here looking for the answer and figured it out eventually:

Firstly, you specify additional domains by adding extra -d options to the original commandline. So in your example you'd have -d example.com -d www.example.com. As you've already run it certbot will ask you if you want to expand the existing certificate. Just say yes.

Once that is done you can specify the additional domains in the Cloudfront Alternate names (CNAMEs) field when editing the distribution.