New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KeyError: 'IAMCertificateId' on new distribution #76

Closed
mseelye opened this Issue Aug 10, 2018 · 10 comments

Comments

Projects
None yet
9 participants
@mseelye
Copy link

mseelye commented Aug 10, 2018

When I attempt to run this against a distribution that does not have a current IAM Certificate (was set to default cloudfront cert) I get the following error:

2018-08-10 11:39:51,088:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/redacted/bin/certbot", line 11, in
sys.exit(main())
File "/redacted/lib/python3.5/site-packages/certbot/main.py", line 1364, in main
return config.func(config, plugins)
File "/redacted/lib/python3.5/site-packages/certbot/main.py", line 1131, in run
_install_cert(config, le_client, domains, new_lineage)
File "/redacted/lib/python3.5/site-packages/certbot/main.py", line 772, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File "/redacted/lib/python3.5/site-packages/certbot/client.py", line 498, in deploy_certificate
self.installer.save() # needed by the Apache plugin
File "/redacted/lib/python3.5/site-packages/certbot_s3front/installer.py", line 109, in save
if cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
KeyError: 'IAMCertificateId'
2018-08-10 11:39:51,088:ERROR:certbot.log:An unexpected error occurred:

It seems as if this might be related to the recent changes made to support renew. I'm not certain though.

@mseelye

This comment has been minimized.

Copy link
Author

mseelye commented Aug 10, 2018

Not sure it is evident from the log, but certbot had created and uploaded the cert at this point. I was able to manually go into the CF dist and update the dist to use the uploaded cert and the cert is valid and works.

@coldice

This comment has been minimized.

Copy link

coldice commented Aug 20, 2018

Same here. On the default configuration, the xml returned has the following section:

<ViewerCertificate>
    <CloudFrontDefaultCertificate>true</CloudFrontDefaultCertificate>
    <MinimumProtocolVersion>TLSv1</MinimumProtocolVersion>
    <CertificateSource>cloudfront</CertificateSource>
  </ViewerCertificate>

Where the script is looking for IAMCertificateId.

As mentioned, the cert is properly stored in the IAM user's server certificates and can be installed manually. After the first one is setup, installing (and therefore I think renew as well) through the script works as expected.

@praetp

This comment has been minimized.

Copy link

praetp commented Aug 21, 2018

Facing the same issue with a new CF distribution.

@plancast

This comment has been minimized.

Copy link
Contributor

plancast commented Aug 27, 2018

I fixed this problem locally by updating installer.py with the following code change:

if cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
  return;

to

if 'IAMCertificateId' in cf_cfg['DistributionConfig']['ViewerCertificate'] and cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
  return;
@dlapiduz

This comment has been minimized.

Copy link
Owner

dlapiduz commented Aug 29, 2018

@plancast do you want to send a PR for that change? it is a bug that I didn't test the latest version with a new distro.

plancast added a commit to plancast/certbot-s3front that referenced this issue Aug 29, 2018

dlapiduz added a commit that referenced this issue Aug 31, 2018

@sambokai

This comment has been minimized.

Copy link

sambokai commented Sep 14, 2018

Had the same problem. @plancast's changes made it work.

The changes don't seem to have been propagated to the pip registry yet.

@carcus88

This comment has been minimized.

Copy link

carcus88 commented Oct 16, 2018

@dlapiduz Would bumping the version number up to 0.4.2 cause PyPI to update its sources? I'm facing the same issue where it fails with KeyError: 'IAMCertificateId' using the pip installed package which currently is built from the source as it was on Jul 23, 2018.

@lindell

This comment has been minimized.

Copy link

lindell commented Dec 4, 2018

@dlapiduz First, thanks for the awesome plugin. But it does still not seem to exist in pip. Had to manually patch it to get it work.

@PaulRBerg

This comment has been minimized.

Copy link

PaulRBerg commented Dec 22, 2018

Also confirming that this is still not in pip but @plancast's update works perfectly.

@dlapiduz

This comment has been minimized.

Copy link
Owner

dlapiduz commented Jan 4, 2019

Hi folks, I just bumped the version and pushed to PyPi. Apparently the old CI system is not working anymore so I had to set up a new one...

@dlapiduz dlapiduz closed this Jan 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment