So I have been working on this for hours now and no luck. I have configured OpenSSL, created private a private key, created a csr, submitted the csr to a certificate authority, received the approved certificate and now when I try to upload it I have no luck. I am using this format:
aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate- body file://public_key_certificate_file --private-key file://privatekey.pem
When I try to upload it with file:// I get the following:
aws iam upload-server-certificate --server-certificate-name steptproductions --certificate-body file://Users/markhoyt/Downloads/www_steptproductions_com/www_steptproductions_com.crt.pem --private-key file://Users/markhoyt/private-key.pem
Error parsing parameter '--certificate-body': file does not exist: Users/markhoyt/Downloads/www_steptproductions_com/www_steptproductions_com.crt.pem
When I try to upload it with file:/ I get the following:
aws iam upload-server-certificate --server-certificate-name car.pem --certificate-body file:/Users/markhoyt/Downloads/www_steptproductions_com/www_steptproductions_com.crt.pem --private-key file:/Users/markhoyt/private-key.pem
A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is in PEM format.
I have created an instance and am logged onto Amazon Linux AMI with:
ssh -i steptproductions.pem ec2-user#ec2-54-183-166-45.us-west-1.compute.amazonaws.com
I cannot seem to get the files to upload to the server. Can anyone help?
Related
I tried to create CloudFront pre-signed URL (without OAI) manually for my S3 Bucket with HelloWorld.html as per
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html .
That's not working. Below are the manual step I performed:
Logged on to root, and setup CloudFront Key pair. Downloaded Both Public and Private Keys
I then set up CloudFront to point to my S3 Bucket with option of pre-signed URL but without OAI. Used aws cloudfront get-distribution to check if it shows correct Key Pair ID that I setup on step 1
I wrote and tried with 3 bucket polices : i) using entire CloudFront base URL + Object ii) using just s3 object name , iii) a policy using entire S3 URL for the above object (unfortunately, stackoverflow is not allowing to add the bucket polices saying "not properly formatted as code". The polices I wrote was as recommended in user guide with no spaces, enters and tabs)
I then command "openssl req -x509 -new -days 100000 -key -out" to convert downloaded private PEM file to a Cert file
I then used "openssl smime -encrypt -aes-256-cbc" command to encrypt (or to create signature) for the Step 3 policy using Step 5 cert file
Then I edited the signature from Step 5 to replace "/" with "_", "+" with "-" and "=" with "~" as AWS need for signed URL
Then I created following "signed " URL manually with above edited Signature: https://xxx.cloudfront.net/HelloWorld.html?Key-Pair-Id=<Key-Pair-Id from step 1>&Expires=3600&Signature=<Edited Signature from Step 6>
I consistently get "AccessDenied" error.
What is wrong or missing in above steps?
I suspect missing IAM policy on S3 for CloudFront. I tried Full Public Access for S3, but still getting AccessDenied error. AWS user guide explains how to write S3 IAM policy for CLoudFront using OAI, but does not explain writing S3 IAM policy for CloudFront pre-signed URL without OAI.
There were issues with my steps including calculation of epoch time. Eventually, I resolved the problem by generating the signed url using "aws cloudfront sign" cli command and tracing back to my defective steps.
There's tons of Cloudfront questions out there, however the Googling for possible problems still amazes me. Here's mine...
What I'm currently attempting right now is to upload an SSL cert to IAM so I can use a custom domain name for Cloudfront (e.g. https://assets.mydomain.com). This, however, isn't going so well. The certs were purchased from DNSimple. The AWS cli upload is as so:
aws iam upload-server-certificate \
--server-certificate-name MyDomainProduction \
--path /cloudfront/ \
--certificate-body file://~/Downloads/STAR_mydomain_com/STAR_mydomain_com.crt \
--private-key file://~/Downloads/STAR_mydomain_com.key \
--certificate-chain file://~/Downloads/STAR_mydomain_com.pem
The error:
A client error (MalformedCertificate) occurred when calling the
UploadServerCertificate operation: Unable to validate certificate
chain. The certificate chain must start with the immediate signing
certificate, followed by any intermediaries in order. The index within
the chain of the invalid certificate is: 1
I think I've tried 500 different possibilities and I'm out of ideas as to why I can't get things to work. Here's what I got in my toolbox for what DNSimple and Comodo handed back to me:
STAR_mydomain_com.pem
STAR_mydomain_com.key
STAR_mydomain_com/AddTrustExternalCARoot.crt
STAR_mydomain_com/COMODORSADomainValidationSecureServerCA.crt
STAR_mydomain_com/COMODORSAAddTrustCA.crt
STAR_mydomain_com/STAR_mydomain_com.crt
What's the right combination of crts, pem, and key to get SSL working on Cloudfront?
You're almost done. The error is that you are using the wrong intermediate certificate file. You should use the bundle that only includes the chain, without the primary certificate.
In other words, from the DNSimple installation wizard, select Other and download the files (1), (2) and (4). You downloaded (3) instead of (4).
The main difference is that (3) is (4) + (1). But as you are already passing (1) explicitly using the --certificate-body param, Cloudfront only wants the chain without the primary.
I have 4 certificates which i received from CA (SSL) :
Root CA Certificate - 123.crt
Intermediate CA Certificate - 456.crt
Intermediate CA Certificate - 789.crt
Your PositiveSSL Certificate - 654.crt
I have generated circuit.pem -private key and csr.pem through which I got these certificates.
Now, i want to upload these certificates to IAM using
aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file
AWS -Working with Server Certificates
But I am not able to gauge which is my server certificate and how can I upload my all certificates.
Please help me with the above command for my above certificates.
I tried :
aws iam upload-server-certificate --server-certificate-name MyServerCertificate --certificate-body file://www_advisorcircuit_com.crt --private-key file://circuit.pem --certificate-chain file://COMODORSAAddTrustCA.crt
I am getting this error:
A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.
I have to say, getting this to work was a huge pain in the ass. Basically you are missing the user configuration details. You have to create a user on Amazon using the IAM service here https://console.aws.amazon.com/iam/home. Pay attention to what your region is in the url, you'll need that later. So create a user, attach a policy (I attached AdministratorAccess), "Create Access Key", download credentials for the user and use them to run:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Some caveats on getting the certificate install command to work. Make sure the file's have readable permissions....I think I specified 664. I specified the .pem extension on all the files...I believe AWS prefers the old school style key files, so I had to run
openssl rsa -in my_key.key -text > new_key.pem
An additional hint (because that's what happened to me)
Run echo $AWS_ACCESS_KEY_ID and echo $AWS_SECRET_ACCESS_KEY to check if these ENV variables are set.
No matter what you pass to aws configure, the ENV variables will override it.
Configuration Settings and Precedence
Yes, This is tricky even you have configured all IAM access to a user and then trying to upload certificate using their access keys.
I got this problem many times. Here is how I solved it.
When User is not having required IAM access like Upload Server certificate etc. -> You need to make sure that user has the right access, Maybe try after giving Full IAM access to the user.
Of Course, the region and the other user details should be correct as discussed in previous answers.
Was trying with an older session terminal(This terminal was running for more than 24 hours) -> Relaunch the terminal and try the same command. Yes, I observed this issue twice. I simply relaunched the terminal and performed the same command and it worked.
Command with absolute path:
*aws iam upload-server-certificate --server-certificate-name mycertificate --certificate-body file:///Users/raushan/Downloads/com/certificate.pem --private-key file:///Users/raushan/Downloads/com/private_key.pem --certificate-chain file:///Users/raushan/Downloads/com/CertChain.pem*
I'm very new to Amazon EC2. I am trying to setup https for my website, I follow the offical instruction from amazon doc: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
And I get stuck at Upload the Signed Certificate step
aws iam upload-server-certificate --server-certificate-name <certificate_object_name> \
--certificate-body <public_key_certificate_file> --private-key <privatekey.pem> \
--certificate-chain <certificate_chain_file>
As a instruction, I just create a private key (privatekey.pem) and A Certificate Signing Request (csr.pem), but in the command line they request 4 params
certificate_object_name
public_key_certificate_file
private-key --> I only have this one
certificate_chain_file
I don't know where to get 3 remain params, please help to shed a light.
You probably found an answer for this already:
certificate_object_name -- This is anything you want as an identifier for the certificate
public_key_certificate_file -- This is the key that your certificate issuer provided you
private-key --> I only have this one -- This is the key that you used to generate the certificate request to the provider ... not the request itself
certificate_chain_file -- This is a bundle certificate also provided by the issuing authority. It is optional for the upload to AWS. See this line in the documentation:
"If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can omit the --certificate-chain option and upload just the server certificate and private key"
I have a website hosted on Amazon elasticbeanstalk and now I need to configure it for https and SSL. I have completed the first step from the link below "Create a custom domain with your DNS provider":
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
So now my amazon elasticbeanstalk site, example.elasticbeanstalk.com has custom domain example.com (I used Amazon Route 53 for this).
I am now performing step 2 from link above and following instructions given at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/InstallCert.html
I have created privatekey.pem and server.crt which I need to upload to Amazon IAM. I need help in typing the format for the following command to upload to IAM. My privatekey.pem and server.crt are located at Users/Kash on my MAC
aws iam upload-server-certificate --server-certificate-name
CertificateName --certificate-body file://public_key_certificate_file
--private-key file://privatekey.pem
I typed the following but get error "keywords must be strings"
aws iam upload-server-certificate --server-certificate-name "TestCert"
--certificate-body file://server.crt --private-key file://privatekey.pem
I am not familiar with typing commands on terminal and need help
The error is referring to the quotation marks at your "TestCert" certificate name. There should be no quotation marks, as follows:
aws iam upload-server-certificate --server-certificate-name TestCert --certificate-body file://server.crt --private-key file://privatekey.pem
Hope this helps!