Whilst experimenting with this project; I've hit a brick wall where v2 support will be totally broken for most actions when talking to ACME server (especially via Let's Encrypt's Boulder).

Unauthenticated GETs are now unsupported from ACME v2 STAGING and fully gone in v2 PRODUCTION by November 2020.

https://mailarchive.ietf.org/arch/msg/acme/sotffSQ0OWV-qQJodLwWYWcEVKI
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

I am using this lambda function to generate letsencrypt certificate and then put them in s3 bucket so later when I bake images it would pick the certificate from s3. I am using below node version on my mac where this fails.

| => node --version
v12.16.1

However, I get below error when I run it locally.

| => npm run local-cert

> [email protected] local-cert /Users/shaileshsutar/company_name/project_name/node-acme-lambda
> node bin/local.js

s3://uat-bucket-name/acme/host.uat.product.company_name.net.json does not exist.
Certificate with key host.uat.product.company_name.net is missing, going to regenerate.
Submitting new order to https://acme-v02.api.letsencrypt.org/acme/new-order for [{"name":"host.uat.product.company_name.net","zoneLevels":3}]
deprecation notice: new signature for signJws(keypair, header, protect, payload)
(node:9847) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Couldn't retrieve hosted zones from Route53 TypeError: Cannot read property 'Id' of undefined
    at /Users/shaileshsutar/company_name/project_name/node-acme-lambda/src/aws/route53/getHostedZoneId.js:12:96
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Promise.all (index 0)
    at async Promise.all (index 0)
Couldn't write token digest to DNS record. TypeError: Cannot read property 'Id' of undefined
    at /Users/shaileshsutar/company_name/project_name/node-acme-lambda/src/aws/route53/getHostedZoneId.js:12:96
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Promise.all (index 0)
    at async Promise.all (index 0)
Experienced error getting challenges TypeError: Cannot read property 'Id' of undefined
    at /Users/shaileshsutar/company_name/project_name/node-acme-lambda/src/aws/route53/getHostedZoneId.js:12:96
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Promise.all (index 0)
    at async Promise.all (index 0)
Results are [{"err":true,"msg":"Updating cert for host.uat.product.company_name.net, received err TypeError: Cannot read property 'Id' of undefined, TypeError: Cannot read property 'Id' of undefined\n    at /Users/shaileshsutar/company_name/project_name/node-acme-lambda/src/aws/route53/getHostedZoneId.js:12:96\n    at processTicksAndRejections (internal/process/task_queues.js:97:5)\n    at async Promise.all (index 0)\n    at async Promise.all (index 0)"}]

From error, I understand that there is function Buffer() which is deprecated. What I don't understand is error can not read property 'Id'. This works fine with lambda nodjs runtime version 10.x however it fails when I run it on nodejs version 12.x

Am I missing something here? The reason I am raising this here again is that we are getting emails from letencrypt which states that we are using the old acme v1 protocol for retrieving certs. However, this is not the case. I have already updated my config.js file with appropriate acme v2 protocol. Below is the config file I am using.

const defaultCertInfo = {
    "host.uat.product.company_name.net": [{"name": "host.uat.product.company_name.net", "zoneLevels": 3}]
      }

module.exports = {
  's3-account-bucket': process.env.S3_ACCOUNT_BUCKET || 'uat-bucket-name',
  's3-cert-bucket': process.env.S3_CERT_BUCKET || 'uat-bucket-name',
  's3-folder': process.env.S3_CERT_FOLDER || 'acme',
  'certificate-info': process.env.S3_CERT_INFO ? JSON.parse(process.env.S3_CERT_INFO) : defaultCertInfo,
  'acme-dns-retry': 30,
  'acme-dns-retry-delay-ms': 2000,
  'acme-account-file': process.env.ACME_ACCOUNT_FILE || 'acme-account',
  'acme-account-email': process.env.ACME_ACCOUNT_EMAIL || 'aws-product-nonprod@company_name.com',
  'acme-account-key-bits': 4096,
  'acme-directory-url': 'https://acme-v02.api.letsencrypt.org',
  'region': process.env.AWS_REGION || 'eu-west-1'
}

It may not be related to nodejs version however I just want to make sure we are not at risk due to this. By the way, I have anonymized the actual value.

Regards,
Shailesh

We've had this running for a couple years now without issue, but it seems we are now getting 403 Forbidden on the finalize step when the certificates go to renew. Is anyone else getting this?

Seems to be coming from: https://github.com/ocelotconsulting/node-acme-lambda/blob/master/src/acme/v2/newCertificate.js#L13

INFO The error was {"req":{"method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/finalize/***obfuscated***/***obfuscated***","data":{"protected":"***obfuscated***"},"headers":{"content-type":"application/jose+json"}},"header":{"server":"nginx","date":"Wed, 19 Aug 2020 14:39:09 GMT","content-type":"application/problem+json","content-length":"152","connection":"close","boulder-requester":"obfuscated","cache-control":"public, max-age=0, no-cache","link":"https://acme-v02.api.letsencrypt.org/directory;rel="index"","replay-nonce":"obfuscated"},"status":403,"text":"{\n "type": "urn:ietf:params:acme:error:orderNotReady",\n "detail": "Order's status (\"invalid\") is not acceptable for finalization",\n "status": 403\n}"}

First, thanks @larryboymi for this project, it made the job much easier!

I got this project working using Windows/VSCode. I upgraded all dependencies to the latest package versions as of 21-Nov-2019 and deployed the zip file to AWS Lambda with Node 12.x. After upgrade npm install reports 0 vulnerabilities, having said that, there are a lot of depreciated functions that should to be updated that I didn't get around to.

I made some notes while I was getting this working which are copied below. They essentially describe how I did some basic updates to the code and some tips for config and deployment. I thought this might help others, and maybe could be a starting point to refresh the project. Sry, didn't have time to do a PR.

Upgrading packages

• I used npm-check-updates to update all the dependencies.
• Install npm-check-updates globally then run ncu -u to update packages.json
• Delete packages-lock.json (I usually delete the node_modules directory to be sure)
• Update /util/generateRSAKeyPair.js as follows:

// const promisify = require('es6-promisify')
const { promisify } = require('es6-promisify')

• Update zip.js as follows:

/* zipfile.bulk([
  { expand: true, cwd: './/', src: ['app.js', 'config.js'] },
  { expand: true, cwd: './', src: ['src/**'] },
  { expand: true, cwd: './build', src: ['**'] }
]) */
zipfile.file('app.js')
zipfile.file('config.js')
zipfile.directory('src', 'src')
zipfile.directory('build', false)

Run npm i or npm run dist and you should see 0 vulnerabilities

Clearly still a bit of cleanup required to get this fully updated, some areas might be:

• Update depreciated packages
• Update depreciated functions

Other Tips

• If you use VSCode to build, then run npm run dist in bash shell (not powershell/cmd/etc) to allow the commands in package.json like mv and other bash style commands to work.
• Note that you must have something for s3Folder in config.js (empty is not valid)
• For the IAM role (see AWS.md), took me a little while to figure out where I could get the ARN for the route53 hostedzone by looking at the url when you go into Route53 domain manager.
• BTW.. I never figured out how to test locally, where are you supposed to put your credentials? Anyway, I just uploaded the zip file to AWS lambda.
• On Windows you may need to install Python2.7 (at c:\Python27) Not sure about this, seemed to be needed by some packages pre-upgrade... but then after the upgrade I didn't see it using python, so might not be required any more.

Example config

I rearranged the config a bit, just feels a bit more readable to me. If you modify the default config.js then make sure to update the ACME_DIRECTORY_URLs to the latest.

const USE_PRODUCTION = process.env.USE_PRODUCTION || false // Change this to true for production.

const defaultCertInfo = {
  'somedomain': ['*.somedomain.com']
}

const s3AccountBucket = 'acme-account.somedomain.com' // Create this bucket
const s3CertBucket = 'acme-certs.somedomain.com' // Create this bucket
const s3Folder = 'certs' // Create this folder on both buckets
const acmeAccountFile = 'account' // This is the filename of a file that gets created in s3AccountBucket/s3Folder. It is pretty much a certificate file.
const acmeAccountEmail = 'YOUR_EMAIL_ADDRESS'
const awsRegion = 'ap-southeast-2' // Enter a region.

// Should not need to edit below this line.
const productionDirectoryUrl = process.env.ACME_DIRECTORY_URL || 'https://acme-v02.api.letsencrypt.org' // 'https://acme-v01.api.letsencrypt.org'
const stagingDirectoryUrl = process.env.ACME_DIRECTORY_URL || 'https://acme-staging-v02.api.letsencrypt.org' // 'https://acme-staging.api.letsencrypt.org'

module.exports = {
  's3-account-bucket': process.env.S3_ACCOUNT_BUCKET || s3AccountBucket,
  's3-cert-bucket': process.env.S3_CERT_BUCKET || s3CertBucket,
  's3-folder': process.env.S3_CERT_FOLDER || s3Folder,
  'certificate-info': process.env.S3_CERT_INFO ? JSON.parse(process.env.S3_CERT_INFO) : defaultCertInfo,
  'acme-dns-retry': 30,
  'acme-dns-retry-delay-ms': 2000,
  'acme-account-file': process.env.ACME_ACCOUNT_FILE || acmeAccountFile,
  'acme-account-email': process.env.ACME_ACCOUNT_EMAIL || acmeAccountEmail,
  'acme-account-key-bits': 2048,
  'acme-directory-url': USE_PRODUCTION ? productionDirectoryUrl : stagingDirectoryUrl,
  'region': process.env.AWS_REGION || awsRegion
}

Save raw cert files

I also edited createV2Certificate.js, and added a function to save a bunch of raw certificate files.

Copy in this function and change saveCertificate to saveCerts.

const saveCerts = async (data) => {
  await saveFile(
    config['s3-cert-bucket'],
    config['s3-folder'],
    `${data.key}.json`,
    JSON.stringify({
      key: data.keypair,
      cert: data.cert,
      issuerCert: data.issuerCert
    })
  )
  await saveFile(
    config['s3-cert-bucket'],
    config['s3-folder'],
    `${data.key}.key`,
    data.keypair.privateKeyPem
  )
  await saveFile(
    config['s3-cert-bucket'],
    config['s3-folder'],
    `${data.key}.cer`,
    data.cert
  )
  return {}
}

This is an issue to track development of multi-domain SAN certificates ... thanks for the request in #9 @phoenix-zhu !

I should probably be able to code that this coming weekend..

Hi - first of all, thanks for this project. It's about a million times easier than the others I've (unsuccessfully) tried today. I'm having a small problem, though...

Given the domain one.two.three.com, when I run npm run local-cert, I see a TXT record added to Route53 (e.g. _acme-challenge.one.two.three.com), but the script fails with

Error: Could not pre-validate DNS TXT record.

I have a couple suspicions:

1. three.com is registered elsewhere - it exists in Route53 as a "hosted zone", and there are only a few records in there (though the nameservers are set up correctly at my registrar).
2. this is a recent change (a couple hours ago), so maybe things aren't resolving yet. I don't think this is the case, though, as I can access one.two.three.com
3. one.two.three.com is a CNAME in Route53 that points to a CloudFront distribution, which points to an S3 bucket (though I doubt that matters).

Here are the records in Route53:

Any idea why this isn't working?

Hi There,

I created a bucket in Asia Pacific (Seoul) and the code raised an error like the following.

[ { err: true, msg: 'Updating cert for api.local.gm.chatops.in, received err InvalidRequest: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256., InvalidRequest: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.\n at Request.extractError (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/services/s3.js:524:35)\n at Request.callListeners (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/sequential_executor.js:105:20)\n at Request.emit (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/sequential_executor.js:77:10)\n at Request.emit (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/request.js:661:14)\n at Request.transition (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/state_machine.js:14:12)\n at /Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/state_machine.js:26:10\n at Request.<anonymous> (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/request.js:38:9)\n at Request.<anonymous> (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/request.js:663:12)\n at Request.callListeners (/Users/XXX/node-letsencrypt-lambda/node_modules/aws-sdk/lib/sequential_executor.js:115:18)' } ]

It should be the module's issue since this region only supports Signature Version 4(http://docs.aws.amazon.com/de_de/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version) and it worked fine in old regions.
Although I updated the aws-sdk to the latest version 2.17.0, it still has the same error, could you please kindly find a way to solve this?

Cheers.

From what I see currently you have to run npm run pems to get ready to use certificates, it would be nice to have that as a result of Lambda.

Hi There,

I would like to know this repo's license because I need to change part of it to adapt our case, but I didn't find any info about this here, could you please let me know whether I would breach something if I change it?

Thanks.

Thanks for writing this library, it is exactly what I have been looking for the last few months.

I am uploading my lambda function to AWS using terraform, using https://github.com/joshuaspence/npm-lambda-packer. As such, writing to the custom config file is a bit difficult. I have made a few changes in my own fork, which enable the configuration to be read from environment variables: https://github.com/jarro2783/node-letsencrypt-lambda/tree/config_env.

I would be interested in getting something similar merged into your repository.

The main changes I had to make are that default.json had to become default.js, and then the default values are environment variables. Of course anyone would still be free to configure that if they want, but this way the repo works as-is, as a lambda function.

Hi, maybe it's an obvious question but better to be safe than sorry. What's the license?

We are using this code in our automation for provisioning and renewal of LE certs. This works with lambda runtime 8.10 however this fails with lambda runtime 10.x when deployed. I see no recent commits to the repository also.

Do we need to have code changes in repo in order for it to work with lambda runtime 10.x?

Awaiting reply.

These scripts fail when using the new ACME v2 to provision certificates. We are trying to use lambda to provision some wildcard certs. https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Hi I am trying to use your lambda to generate 2 wildcard certs:

Using the following setup (from local running npm run certs):

const defaultCertInfo = {
  'iontab': [ '*.iontab.es', 'iontab.es' ],
  'iontab-dev': [ '*.iontab-dev.es', 'iontab-dev.es' ]
};

const productionDirectoryUrl = process.env.ACME_DIRECTORY_URL || 'https://acme-v02.api.letsencrypt.org';
const stagingDirectoryUrl = process.env.ACME_DIRECTORY_URL || 'https://acme-staging-v02.api.letsencrypt.org';

1. First time it runs seems to generate 'acme-account-file' twice (overwriting it the second time it runs, I guess)

s3://acme-certs.iontab.dev/node-acme-lambda/iontab.json does not exist.
Certificate with key iontab is missing, going to regenerate.
s3://acme-certs.iontab.dev/node-acme-lambda/iontab-dev.json does not exist.
Certificate with key iontab-dev is missing, going to regenerate.
s3://acme-account.iontab.dev/node-acme-lambda/acme-account-file.json does not exist.
Creating user config file since couldn't read s3://acme-account.iontab.dev/node-acme-lambda/acme-account-file.json
Creating new account with url https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
s3://acme-account.iontab.dev/node-acme-lambda/acme-account-file.json does not exist.
Creating user config file since couldn't read s3://acme-account.iontab.dev/node-acme-lambda/acme-account-file.json
Creating new account with url https://acme-staging-v02.api.letsencrypt.org/acme/new-acct

2. After generating account file (I think it is done twice, from logs). It creates the DNS challenges, create the CSR for both certificates and then raises an exception:

Attempt 13 to resolve TXT record for iontab-dev.es
Attempt 14 to resolve TXT record for iontab.es
deprecation notice: new signature for signJws(keypair, header, protect, payload)
deprecation notice: new signature for signJws(keypair, header, protect, payload)
Creating CSR for ["*.iontab-dev.es","iontab-dev.es"]
Requesting certificate.
deprecation notice: new signature for signJws(keypair, header, protect, payload)
deprecation notice: new signature for signJws(keypair, header, protect, payload)
deprecation notice: new signature for signJws(keypair, header, protect, payload)
Creating CSR for ["*.iontab.es","iontab.es"]
Requesting certificate.
deprecation notice: new signature for signJws(keypair, header, protect, payload)
Results are [{"err":true,"msg":"Updating cert for iontab, received err Error: Bad Request, Error: Bad Request\n    at Request.callback (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/index.js:696:15)\n    at parser (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/index.js:906:18)\n    at IncomingMessage.res.on (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/parsers/json.js:19:7)\n    at emitNone (events.js:111:20)\n    at IncomingMessage.emit (events.js:208:7)\n    at endReadableNT (_stream_readable.js:1064:12)\n    at _combinedTickCallback (internal/process/next_tick.js:138:11)\n    at process._tickDomainCallback (internal/process/next_tick.js:218:9)"},{"err":true,"msg":"Updating cert for iontab-dev, received err Error: Bad Request, Error: Bad Request\n    at Request.callback (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/index.js:696:15)\n    at parser (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/index.js:906:18)\n    at IncomingMessage.res.on (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/parsers/json.js:19:7)\n    at emitNone (events.js:111:20)\n    at IncomingMessage.emit (events.js:208:7)\n    at endReadableNT (_stream_readable.js:1064:12)\n    at _combinedTickCallback (internal/process/next_tick.js:138:11)\n    at process._tickDomainCallback (internal/process/next_tick.js:218:9)"}]

2. If I run the npm run local-cert It won't create the account info again (it was already created from previous run) but will still fail after generating the CSR (seems that it worked for on cert, the second, but failed for the first one)

Attempt 14 to resolve TXT record for iontab-dev.es
deprecation notice: new signature for signJws(keypair, header, protect, payload)
deprecation notice: new signature for signJws(keypair, header, protect, payload)
Creating CSR for ["*.iontab.es","iontab.es"]
Requesting certificate.
deprecation notice: new signature for signJws(keypair, header, protect, payload)
Attempt 15 to resolve TXT record for iontab-dev.es
Attempt 16 to resolve TXT record for iontab-dev.es
Attempt 17 to resolve TXT record for iontab-dev.es
Attempt 18 to resolve TXT record for iontab-dev.es
Attempt 19 to resolve TXT record for iontab-dev.es
Attempt 20 to resolve TXT record for iontab-dev.es
Attempt 21 to resolve TXT record for iontab-dev.es
Attempt 22 to resolve TXT record for iontab-dev.es
deprecation notice: new signature for signJws(keypair, header, protect, payload)
deprecation notice: new signature for signJws(keypair, header, protect, payload)
Creating CSR for ["*.iontab-dev.es","iontab-dev.es"]
Requesting certificate.
deprecation notice: new signature for signJws(keypair, header, protect, payload)
Results are [{"err":true,"msg":"Updating cert for iontab, received err Error: Bad Request, Error: Bad Request\n    at Request.callback (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/index.js:696:15)\n    at parser (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/index.js:906:18)\n    at IncomingMessage.res.on (/home/calarcon/ionide/server/node-acme-lambda/node_modules/superagent/lib/node/parsers/json.js:19:7)\n    at emitNone (events.js:111:20)\n    at IncomingMessage.emit (events.js:208:7)\n    at endReadableNT (_stream_readable.js:1064:12)\n    at _combinedTickCallback (internal/process/next_tick.js:138:11)\n    at process._tickDomainCallback (internal/process/next_tick.js:218:9)"},{"ETag":"\"3e4fcac0ac004bdba1a54be556fae9fd\""}]

Maybe it is due because I already had a cert for the first domain (I deleted both S3 buckets before testing with 2 domains at once, which I do not know if is the proper way of doing, if not I would thank any indication about how to do it. I am working with staging v2 right now)

Any clue on whats going on?

Beside that, I would love the feature of leaving pem files in S3 bucket: #18.

Regards

https://github.com/ocelotconsulting/node-letsencrypt-lambda/blob/master/src/acme/certify/getCertificate.js#L14

Hi, I have a question regarding this line of code. Seems I only able to create a new cert if the ${domain}.json not exist in the S3. So, how can I able to request a new cert if the old cert is gonna expire?

Thanks!

From @phoenix-zhu 's request in #10....

to get a cert for a non-secondary level domain like 'a.b.c.com' because the code here(https://github.com/ocelotconsulting/node-letsencrypt-lambda/blob/master/src/aws/route53/getHostedZoneId.js#L8) only cuts the last 2 parts of the domain for zone name.

Hi,

I'm doing some small reading, and noticed that the client doesn't actually send a user-agent with (except for "superagent-version" which doesn't help LE or others) and did some quick (unverified) napkin code as a PoC which I will most likely forget to mention, so just to point it out there and put it in the open...

https://community.letsencrypt.org/t/acme-v2-draft-13-compliant-key-rollover/68953
https://tools.ietf.org/html/draft-ietf-acme-acme-13#section-7.3.6
https://tools.ietf.org/html/rfc7231#section-5.5.3
serveroffline#1

My thanks to Peter Waher for warning me about the key-rollover that triggered it...

CVE-2018-16489: just-extend (upgrade to ~>4.0.0)
CVE-2018-16492: extend (upgrade to ~>3.0.2)
CVE-2018-16487: lodash (upgrade to ~>4.17.11)