Closed mseelye closed 5 years ago
mseelye
commented
6 years ago Not sure it is evident from the log, but certbot had created and uploaded the cert at this point. I was able to manually go into the CF dist and update the dist to use the uploaded cert and the cert is valid and works.
coldice
commented
6 years ago Same here. On the default configuration, the xml returned has the following section:
<ViewerCertificate>
<CloudFrontDefaultCertificate>true</CloudFrontDefaultCertificate>
<MinimumProtocolVersion>TLSv1</MinimumProtocolVersion>
<CertificateSource>cloudfront</CertificateSource>
</ViewerCertificate>Where the script is looking for IAMCertificateId.
As mentioned, the cert is properly stored in the IAM user's server certificates and can be installed manually. After the first one is setup, installing (and therefore I think renew as well) through the script works as expected.
praetp
commented
6 years ago Facing the same issue with a new CF distribution.
plancast
commented
6 years ago I fixed this problem locally by updating installer.py with the following code change:
if cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
return;to
if 'IAMCertificateId' in cf_cfg['DistributionConfig']['ViewerCertificate'] and cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
return;
dlapiduz
commented
6 years ago @plancast do you want to send a PR for that change? it is a bug that I didn't test the latest version with a new distro.
sambokai
commented
5 years ago Had the same problem. @plancast's changes made it work.
The changes don't seem to have been propagated to the pip registry yet.
carcus88
commented
5 years ago @dlapiduz Would bumping the version number up to 0.4.2 cause PyPI to update its sources? I'm facing the same issue where it fails with KeyError: 'IAMCertificateId' using the pip installed package which currently is built from the source as it was on Jul 23, 2018.
lindell
commented
5 years ago @dlapiduz First, thanks for the awesome plugin. But it does still not seem to exist in pip. Had to manually patch it to get it work.
PaulRBerg
commented
5 years ago Also confirming that this is still not in pip but @plancast's update works perfectly.
dlapiduz
commented
5 years ago Hi folks, I just bumped the version and pushed to PyPi. Apparently the old CI system is not working anymore so I had to set up a new one...
When I attempt to run this against a distribution that does not have a current IAM Certificate (was set to default cloudfront cert) I get the following error:
2018-08-10 11:39:51,088:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/redacted/bin/certbot", line 11, in
sys.exit(main())
File "/redacted/lib/python3.5/site-packages/certbot/main.py", line 1364, in main
return config.func(config, plugins)
File "/redacted/lib/python3.5/site-packages/certbot/main.py", line 1131, in run
_install_cert(config, le_client, domains, new_lineage)
File "/redacted/lib/python3.5/site-packages/certbot/main.py", line 772, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File "/redacted/lib/python3.5/site-packages/certbot/client.py", line 498, in deploy_certificate
self.installer.save() # needed by the Apache plugin
File "/redacted/lib/python3.5/site-packages/certbot_s3front/installer.py", line 109, in save
if cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
KeyError: 'IAMCertificateId'
2018-08-10 11:39:51,088:ERROR:certbot.log:An unexpected error occurred:
It seems as if this might be related to the recent changes made to support renew. I'm not certain though.