Lego: Unable to upload generated cert to AWS IAM

Created on 18 Oct 2016 · 3Comments · Source: go-acme/lego

After successfully generating a certificate with the following:

AWS_REGION=us-east-1 AWS_ACCESS_KEY_ID={id} AWS_SECRET_ACCESS_KEY={key} lego --dns="route53" -d={bunch of names} run

I attempted to upload to AWS using the following:

{AWS token keys} aws iam upload-server-certificate --server-certificate-name Cert-expires-2017-01-15 --certificate-body file://subject.crt --certificate-chain file://lets-encrypt-x3-cross-signed.pem --private-key file://subject.key

and I'm getting this error from AWS:

A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1

Any idea what's missing here?

arednsprovider

Source

benjamincudi

Most helpful comment

Didn't have much luck with that, but their ELB docs didn't mention that IAM doesn't actually need the chain whereas the CLI docs clarified that. I omitted the chain from my request and both the upload and usage of the certificate have worked fine.

Thanks for the suggestion!

benjamincudi on 25 Oct 2016

👍2 🚀1

All 3 comments

It seems like AWS is expecting the certificate file to consist of all three certificates of the chain. We only supply the bottom two certificates in our output (LE intermediate and the client cert).
Does it work if you prepend the DST Root CA X3 to the bundle (from here)?