Updating SSL Certificates for CloudFront Distributions

Recently we had to upgrade our CloudFront distribution because our SSL certificates were set to expire.  Because we use CloudFront as a CDN for our images and for our Rails assets cache and we serve all of our assets using SSL, we had to update the SSL certificate that our CloudFront distro uses:

edit-cloudfront-distribution-ssl-settings

Since we are using a custom domain CloudFront will need to serve our SSL certificate for all SSL requests – otherwise all of our cached assets and images will fail with an ERR_INSECURE_RESPONSE for all requests to our CloudFront distribution.  Note that the screen shot above shows the part of the CloudFront distribution UI where you have to pick the SSL certificate for your distribution.

This is the important part: if you have an existing SSL certificate, Amazon will not let you simply overwrite the existing certificate.  You will have to upload a new certificate using the aws cli command line tools, and then switch the active certificate in this UI or using the command line.  Note that this will trigger a redeploy of your distribution which can take a long time.

The command line for listing your certs in iam:

aws-list-cloudfront-certificatesCloudfront expects the certificates it stores to live in the /cloudfront/cert directory (under “Path” above).  For more info on setting this stuff up from scratch, check the AWS CloudFront site for the latest incantations.

The command to upload a new certificate to IAM:

aws iam upload-server-certificate 
--server-certificate-name BlinkStarCertificate2016 
--certificate-body file://./certs/star_blinkinc_com.crt 
--private-key file://../BlinkIncCerts/star_blinkinc_com.key 
--certificate-chain file://star_blinkinc_com_cf.pem  
--path /cloudfront/cert/

Note that you will not be able to overwrite your old certificate name unless you delete it first. We chose to go with creating a new cert name and making sure that works, then deleting the old cert.  Note that the –certificate-body option must point the .crt file you get from your issuer.  The –private-key file is the private key you used to sign your cert. The –certificate-chain option specifies a .pem file that only contains the certificate chain for the root and any intermediate certificates but not the actual site certificate.  If you this command complains that “A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: 1” you probably have your site cert in the .pem file.  Remove it and you are good to go!

Oh, also note that Amazon apparently still thinks Java based command line tools are cool somehow.  Ugh.  Hence the file:// URL style syntax in the command line.  Ugly.  Awful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s