Fake Intermediate Cert - Githubissues

ubergeek42 / lambda-letsencrypt

Free Lets-Encrypt certificate management for CloudFront/AWS

MIT License

211 stars 37 forks source link

Fake Intermediate Cert #27

Closed BTCCoffeeTable closed 7 years ago

BTCCoffeeTable commented 7 years ago

I finally got this to work, at least somewhat. Thanks for this code, I'm working thru it to try and get it working for me.

I run into this:

89 days remaining on cert, nothing to do for cfd-...... in lambda, which is good I think

But I get a certificate when I visit my domain of something like this:

Fake LE Intermediate X1

I'm trying to google it, but having trouble putting it in context of what I've done from this repo.

If anyone has a nudge in the right direction, I'm grateful. Thanks.

ubergeek42 commented 7 years ago

Swap this line for the one below it: https://github.com/ubergeek42/lambda-letsencrypt/blob/master/config.py.dist#L1

The LetsEncrypt staging server gives out fake intermediates, you have to talk to their production endpoint.

BTCCoffeeTable commented 7 years ago

@ubergeek42,

You're the best, thank you. I guess the only trouble is now, I make the change as you suggest, I then try running python wizard.py again. It gives me errors, so I delete the pre-existing lambda, that works.

But now when I visit my lambda function AWS console, and hit TEST, it just returns the following:

START RequestId: 901383c4-0b1b-11e7-af57-2105d908785a Version: $LATEST
[INFO]  2017-03-17T14:11:07.587Z    901383c4-0b1b-11e7-af57-2105d908785a    89 days remaining on cert, nothing to do for cfd-E2PDGWQPE08CPX_20170317_064010.
END RequestId: 901383c4-0b1b-11e7-af57-2105d908785a

Do I need go trash everything in the dedicated S3 Bucket? Is it relating tom cloudfront maybe. I feel so close.

Thanks for your help.

ubergeek42 commented 7 years ago

I think you can go manually edit your cloudfront distribution and remove the certificate from the distribution. Then I'd imagine the check would fail, and it'll go through the renewal/issuing process again.

Then you may want to clean up the existing certificate, though I don't think there is a UI for it. You have to use the aws command line api tool. Probably list them first to figure out what the name is, then delete it: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#list-server-certificates http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#delete-server-certificate

It's been a long time since I worked with this code, amazon launched their ACM thing shortly after I released this and I lost motivation. However I see that people are actually using this, so I'll try to make some improvements so it's actually usable.