ã¯ã˜ã‚ã¾ã—ã¦ã€Kaizen Platform SRE ã® @tkuchiki ã§ã™ã€‚

æœ¬è¨˜äº‹ã§ã¯ AWS ä¸Šã§åˆ©ç”¨ã—ã¦ã„ã‚‹ SSL/TLS è¨¼æ˜Žæ›¸(ä»¥ä¸‹ã€è¨¼æ˜Žæ›¸)ã‚’ä¸€æ‹¬ç®¡ç†ã™ã‚‹ãƒ„ãƒ¼ãƒ«ã‚’ä½œæˆã—ãŸã®ã§ç´¹ä»‹ã„ãŸã—ã¾ã™ã€‚

TL;DR

aws-cert-utils ã‚’ä½œæˆã—ã¦ AWS ä¸Šã§åˆ©ç”¨ã—ã¦ã„ã‚‹è¨¼æ˜Žæ›¸ã‚’ä¸€æ‹¬ç®¡ç†ã§ãã‚‹ã‚ˆã†ã«ã—ãŸ
è¨¼æ˜Žæ›¸ã®ä¸€è¦§è¡¨ç¤ºã€è¨¼æ˜Žæ›¸ã‚’åˆ©ç”¨ã—ã¦ã„ã‚‹ ALB / CLB / CloudFront ã®ä¸€è¦§è¡¨ç¤ºã‚‚å¯èƒ½
aws-cert-utilsã‚’åˆ©ç”¨ã—è¨¼æ˜Žæ›¸ã‚’ç®¡ç†ã™ã‚‹ã“ã¨ã§ã€æ›´æ–°ãƒ»ç¢ºèªä½œæ¥ã«ãŠã„ã¦ãƒŸã‚¹ãŒç™ºç”Ÿã—ã«ãããªã£ãŸ

èƒŒæ™¯

ä»Šã¾ã§ã®å•é¡Œç‚¹

CLB / ALB / CloudFront ã®è¨¼æ˜Žæ›¸æ›´æ–°æ™‚ã« aws cli iam ã§ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ã—ãŸè¨¼æ˜Žæ›¸ã‚’ Management Console ã‹ã‚‰ä¸€ã¤ã²ã¨ã¤åˆ‡ã‚Šæ›¿ãˆã¦ã„ãŸ
- æ›´æ–°å¯¾è±¡ãŒå¤šã„ã®ã§ä½œæ¥ã«æ™‚é–“ãŒã‹ã‹ã‚‹
- ç¢ºèªä½œæ¥ã‚‚å¤§å¤‰

ãã“ã§ã€æ›´æ–°ã€ç¢ºèªä½œæ¥ã‚’ cli ã§å®Œçµã—ã€ã‹ã¤ç°¡å˜ã«ã™ã‚‹ãŸã‚ã«ä½œã£ãŸã®ãŒ aws-cert-utils ã§ã™ã€‚

aws-cert-utils ã®ä½¿ã„æ–¹

ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«

Go è£½ãªã®ã§ https://github.com/tkuchiki/aws-cert-utils/releases ã‹ã‚‰ zip ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã—ã¦è§£å‡ã™ã‚Œã°ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«å®Œäº†ã§ã™ã€‚

ä½¿ã„æ–¹

aws-cert-utils ã«ã¯ iamã€acmã€albã€elbã€cloudfront ã¨ã„ã† 5ã¤ã®ã‚³ãƒžãƒ³ãƒ‰ã¨ã€ãã‚Œãžã‚ŒãŒã‚µãƒ–ã‚³ãƒžãƒ³ãƒ‰ã‚’æŒã£ã¦ã„ã¾ã™ã€‚ iamã€acm ãŒè¨¼æ˜Žæ›¸è‡ªä½“ã®ç®¡ç†ã€albã€elbã€cloudfront ãŒãã‚Œãžã‚Œã®ãƒªã‚½ãƒ¼ã‚¹ã‚’ç®¡ç†ã™ã‚‹ãŸã‚ã®ã‚³ãƒžãƒ³ãƒ‰ã§ã™ã€‚

ä»¥é™ã§ã¯ã€ãã‚Œãžã‚Œã®ä½¿ã„æ–¹ã‚’èª¬æ˜Žã„ãŸã—ã¾ã™ã€‚

IAM

å¼Šç¤¾ã¯ ACM ãƒªãƒªãƒ¼ã‚¹å‰ã‹ã‚‰ã®åæ®‹ã§ä¸€éƒ¨ IAM ã§è¨¼æ˜Žæ›¸ã‚’ç®¡ç†ã—ã¦ã„ã¾ã—ãŸãŒã€ ã“ã®ãƒ„ãƒ¼ãƒ«ã§è¨¼æ˜Žæ›¸ã‚’å…¥ã‚Œæ›¿ãˆã‚‹éš›ã«ç®¡ç†ã‚’ ACM ã«åˆ‡ã‚Šæ›¿ãˆã¾ã—ãŸã€‚ ACM ã¯ã€ACM ã§ç™ºè¡Œã—ãŸè¨¼æ˜Žæ›¸ã‚’åˆ©ç”¨ã™ã‚‹å ´åˆã ã‘ã§ãªãã€ç‹¬è‡ªè¨¼æ˜Žæ›¸ã‚’ã‚¤ãƒ³ãƒãƒ¼ãƒˆã—ã¦ä½¿ã†ã“ã¨ã‚‚ã§ãã¾ã™ã€‚ ç‹¬è‡ªè¨¼æ˜Žæ›¸ã‚’ä½¿ã£ã¦ã„ã‚‹å ´åˆã§ã‚‚ ACM ã§ç®¡ç†ã—ãŸã»ã†ãŒã€

Management Console ã‹ã‚‰æ“ä½œ(ä¸€è¦§ã€ã‚¤ãƒ³ãƒãƒ¼ãƒˆã€æ›´æ–°ã€å‰Šé™¤)ã§ãã‚‹
- IAM ã¯ API ã§ã—ã‹æ“ä½œ(ä¸€è¦§ã€ä½œæˆã€æ›´æ–°ã€å‰Šé™¤)ãŒã§ããªã„
API ã¾ãŸã¯ Management Console ã‹ã‚‰
- ãã®è¨¼æ˜Žæ›¸ãŒä½¿ã‚ã‚Œã¦ã„ã‚‹ã‹ç¢ºèªã§ãã‚‹
- è¨¼æ˜Žæ›¸ã®æœŸé™ã‚’ç¢ºèªã§ãã‚‹

ã¨ã„ã†ãƒ¡ãƒªãƒƒãƒˆãŒã‚ã‚Šã¾ã™ã€‚ ãã®ãŸã‚ã€ç¾åœ¨ IAM ã‚’ä½¿ã£ã¦ã„ã‚‹å ´åˆã§ã‚‚è¨¼æ˜Žæ›¸æ›´æ–°æ™‚ã« ACM ã§ã®ç®¡ç†ã«åˆ‡ã‚Šæ›¿ãˆã‚‹ã®ãŒãŠã™ã™ã‚ã§ã™(ã‚‚ã¡ã‚ã‚“ã€è¦ä»¶ã‚’æº€ãŸã›ã‚‹å ´åˆã¯ ACM ãŒç™ºè¡Œã—ãŸè¨¼æ˜Žæ›¸ã«åˆ‡ã‚Šæ›¿ãˆã‚‹ã®ã‚‚ã‚ˆã„ã§ã—ã‚‡ã†)ã€‚ ã¨ã„ã†ã“ã¨ã§ã€./aws-cert-utils iam (upload|update) ã®ä½¿ã„æ–¹ã¯çœç•¥ã—ã¾ã™ã€‚

ä¸€è¦§

./aws-cert-utils iam list ã§ IAM ã®è¨¼æ˜Žæ›¸ã‚’ä¸€è¦§ã§ãã¾ã™ã€‚ --path-prefix=/cloudfront/ ã®ã‚ˆã†ã«æŒ‡å®šã™ã‚‹ã“ã¨ã§ã€CloudFront ç”¨ã®è¨¼æ˜Žæ›¸ã ã‘è¡¨ç¤ºã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚

$ ./aws-cert-utils iam list
+------------------------------+-----------------------+--------------------------------+-------------------------------------------------------------------------------------+
|             NAME             |          ID           |              PATH              |                                         ARN                                         |
+------------------------------+-----------------------+--------------------------------+-------------------------------------------------------------------------------------+
| test-certificate             | XXXXXXXXXXXXXXXXXXXXX | /                              | arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| test-cloudfront-certificate  | YYYYYYYYYYYYYYYYYYYYY | /cloudfront/                   | arn:aws:iam::xxxxxxxxxxxx:server-certificate/cloudfront/yyyyyyyyyyyyyyyyyyyyyyyyyyy |
+------------------------------+-----------------------+--------------------------------+-------------------------------------------------------------------------------------+

å‰Šé™¤

./aws-cert-utils iam delete ã§ IAM ã®è¨¼æ˜Žæ›¸ã‚’å‰Šé™¤ã§ãã¾ã™ã€‚ ä»¥ä¸‹ã®ä¾‹ã ã¨ã‚ã‹ã‚Šã«ãã„ã§ã™ãŒã€https://gopkg.in/AlecAivazis/survey.v1 ã¨ã„ã†ãƒ©ã‚¤ãƒ–ãƒ©ãƒªã‚’ä½¿ã£ã¦ãŠã‚Šã€ä¸€è¦§ã‹ã‚‰å¯¾è±¡ã‚’é¸ã‚“ã§å‰Šé™¤ã™ã‚‹ã“ã¨ãŒã§ãã¾ã™(AlecAivazis ã•ã‚“ã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã™)ã€‚ https://github.com/AlecAivazis/survey#select ã« GIF ã‚¢ãƒ‹ãƒ¡ãŒã‚ã‚‹ã®ã§ãœã²å‹•ä½œä¾‹ã‚’ç¢ºèªã—ã¦ã¿ã¦ãã ã•ã„(ã‚¯ãƒ¼ãƒ«ãªè¦‹ãŸç›®ã§ã™)ã€‚

$ ./aws-cert-utils iam delete
? Choose the server certificate you want to delete :  test-certificate
Deleted test-certificate

--name ã« server certificate name ã‚’æŒ‡å®šã—ã¦å‰Šé™¤ã™ã‚‹ã“ã¨ã‚‚ã§ãã¾ã™ã€‚

$ ./aws-cert-utils iam delete --name=test-certificate
Deleted test-certificate

ACM

ã‚¤ãƒ³ãƒãƒ¼ãƒˆ

./aws-cert-utils acm import ã§ ACM ã«è¨¼æ˜Žæ›¸ã‚’ã‚¤ãƒ³ãƒãƒ¼ãƒˆã§ãã¾ã™ã€‚ --cert-path ãŒè¨¼æ˜Žæ›¸ãƒ•ã‚¡ã‚¤ãƒ«ãƒ‘ã‚¹ã€--pkey-path ãŒç§˜å¯†éµãƒ•ã‚¡ã‚¤ãƒ«ãƒ‘ã‚¹ã€--chain-path ãŒä¸é–“è¨¼æ˜Žæ›¸ãƒ•ã‚¡ã‚¤ãƒ«ãƒ‘ã‚¹ã§ã™ã€‚

$ ./aws-cert-utils acm import --cert-path cert.pem --pkey-path key.pem --chain-path ca.pem
Imported arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

ACM ã¯åŸ·ç†æ™‚ç‚¹ã§ç§˜å¯†éµã®é•·ã•ãŒ 1024 bit ~ 2048 bit ã§ãªãã¦ã¯ãªã‚‰ãªã„ãŸã‚ã€ãã‚Œä»¥ä¸Šã®é•·ã•ã®éµã‚’æŒ‡å®šã™ã‚‹ã¨ã‚¨ãƒ©ãƒ¼ãŒã§ã¾ã™ã€‚

$ ./aws-cert-utils acm import --cert-path 4096cert.pem --pkey-path 4096key.pem
2017/11/30 17:58:03 Invalid private key length (4096 bit). AWS supports 1024 and 2048 bit RSA private key

æœ¬ãƒ„ãƒ¼ãƒ«é–‹ç™ºæ™‚ IAM ã«ã‚‚åŒæ§˜ã®åˆ¶é™ãŒã‚ã‚Šã¾ã—ãŸãŒã€ä½•æ•…ã‹ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰æ™‚ã«ã¯ã‚¨ãƒ©ãƒ¼ãŒå‡ºãšã€è¨¼æ˜Žæ›¸ã‚’ã‚¢ã‚¿ãƒƒãƒã—ã‚ˆã†ã¨ã—ãŸã¨ãã«ã‚¨ãƒ©ãƒ¼ãŒå‡ºã‚‹ã¨ã„ã†å•é¡ŒãŒç™ºç”Ÿã—ãŸã®ã§ã€ aws-cert-utils iam upload ã«ã‚‚åŒæ§˜ã®éµé•·ã‚’ãƒã‚§ãƒƒã‚¯ã™ã‚‹å‡¦ç†ã‚’å®Ÿè£…ã—ã¦ã„ã¾ã™ã€‚

ä¸€è¦§

./aws-cert-utils acm list ã§ ACM ã®è¨¼æ˜Žæ›¸ã‚’ä¸€è¦§ã§ãã¾ã™ã€‚ å‰è¿°ã—ãŸã€ä½¿ã‚ã‚Œã¦ã„ã‚‹ã‹ã©ã†ã‹ã¯ IN USE? ã®åˆ—ã‚’è¦‹ã‚‹ã¨ã‚ã‹ã‚Šã¾ã™ã€‚

$ ./aws-cert-utils acm list
+------------------------+-----------------+-----------------+---------+-------------------------------+-------------------------------------------------------------------------------------+
|        NAME TAG        |   DOMAIN NAME   | ADDITIONAL NAME | IN USE? |           NOT AFTER           |                                   CERTIFICATE ARN                                   |
+------------------------+-----------------+-----------------+---------+-------------------------------+-------------------------------------------------------------------------------------+
|                        | *.example.com   | example.com     | Yes     | 2019-11-14 02:44:43 +0000 UTC | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+------------------------+                 +                 +         +                               +-------------------------------------------------------------------------------------+
| example.com            |                 |                 |         |                               | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy |
+------------------------+-----------------+-----------------+---------+-------------------------------+-------------------------------------------------------------------------------------+

å‰Šé™¤

aws-cert-utils acm delete ã§ ACM ã®è¨¼æ˜Žæ›¸ã‚’å‰Šé™¤ã§ãã¾ã™ã€‚ aws-cert-utils iam delete ã¨åŒæ§˜ã«é¸æŠžå¼ã®å‰Šé™¤ã¨ã€--arn ã§ ARN ã‚’æŒ‡å®šã™ã‚‹å‰Šé™¤ã®2ã¤ã®æ–¹æ³•ãŒã‚ã‚Šã¾ã™ã€‚

ALB

ä¸€è¦§

./aws-cert-utils alb list ã§ ALB ã‚’ä¸€è¦§ã§ãã¾ã™ã€‚ --cert ã« IAM/ACM ã®è¨¼æ˜Žæ›¸ã® ARN ã‚’æŒ‡å®šã™ã‚‹ã“ã¨ã§ã€ç‰¹å®šã®è¨¼æ˜Žæ›¸ã‚’åˆ©ç”¨ã—ã¦ã„ã‚‹ ALB ã ã‘ä¸€è¦§ã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚

$ ./aws-cert-utils alb list
+-----------+------+-------------------------------------------------------------------------------------+
|   NAME    | PORT |                              LISTENER SSL CERTIFICATE                               |
+-----------+------+-------------------------------------------------------------------------------------+
| test-alb  |  443 | arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+
| test2-alb |  443 | arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

./aws-cert-utils alb bulk-update ã§ ALB ã®ãƒªã‚¹ãƒŠãƒ¼ã§åˆ©ç”¨ã™ã‚‹è¨¼æ˜Žæ›¸ã‚’æ›´æ–°ã§ãã¾ã™ã€‚ --source-cert-arn ãŒæ›´æ–°å‰ã®è¨¼æ˜Žæ›¸(ç¾åœ¨åˆ©ç”¨ã—ã¦ã„ã‚‹è¨¼æ˜Žæ›¸)ã® ARN ã§ã€--dest-cert-arn ãŒæ›´æ–°ã™ã‚‹è¨¼æ˜Žæ›¸ã® ARN ã§ã™ã€‚ --source-cert-arn ã§æŒ‡å®šã—ãŸè¨¼æ˜Žæ›¸ã‹ã‚‰ --dest-cert-arn ã§æŒ‡å®šã—ãŸè¨¼æ˜Žæ›¸ã«åˆ‡ã‚Šæ›¿ã‚ã‚‹ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚

è¨¼æ˜Žæ›¸ã®å…¥ã‚Œæ›¿ãˆã¯ã€æ°—è»½ã«è¡Œã†ã®ãŒå°‘ã—æ€–ã„ä½œæ¥ã ã¨æ€ã„ã¾ã™ã€‚ ãã“ã§ã€æ˜Žç¤ºçš„ã« --no-dry-run ã‚’æŒ‡å®šã—ãªã„ã¨å®Ÿè¡Œã•ã‚Œãªã„ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚

$ ./aws-cert-utils alb bulk-update --source-cert-arn arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --dest-cert-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Dry run mode

Updated test-alb:443 arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Updated test2-alb:443 arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

--no-dry-run ã‚’ã¤ã‘ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ã«æ›´æ–°ã§ãã¾ã™ã€‚

$ ./aws-cert-utils alb bulk-update --source-cert-arn arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --dest-cert-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --no-dry-run
Updated test-alb:443 arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Updated test2-alb:443 arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

$ ./aws-cert-utils alb list
+-----------+------+-------------------------------------------------------------------------------------+
|   NAME    | PORT |                              LISTENER SSL CERTIFICATE                               |
+-----------+------+-------------------------------------------------------------------------------------+
| test-alb  |  443 | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+
| test2-alb |  443 | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+

ALB ã ã‘ã§ãªãã€CLBã€CloudFront ã‚‚ --no-dry-run ã‚’æŒ‡å®šã—ãªã„ã¨æ›´æ–°ã•ã‚Œãªã„ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚ ä¸€ã¤ãšã¤å‡¦ç†ã—ãŸã„å ´åˆã¯ ./aws-cert-utils alb update ã‚’ä½¿ãˆã° OK ã§ã™ã€‚

CLB

ä¸€è¦§

./aws-cert-utils elb list ã§ CLB ã‚’ä¸€è¦§ã§ãã¾ã™ã€‚ --cert ã« IAM ã‹ ACM ã® ARN ã‚’æŒ‡å®šã™ã‚‹ã“ã¨ã§ã€ç‰¹å®šã®è¨¼æ˜Žæ›¸ã‚’åˆ©ç”¨ã—ã¦ã„ã‚‹ CLB ã ã‘ä¸€è¦§ã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚

$ ./aws-cert-utils elb list
+-----------+------+-------------------------------------------------------------------------------------+
|   NAME    | PORT |                              LISTENER SSL CERTIFICATE                               |
+-----------+------+-------------------------------------------------------------------------------------+
| test-elb  |  443 | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+
| test2-elb |  443 | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

./aws-cert-utils elb bulk-update ã§ CLB ã®ãƒªã‚¹ãƒŠãƒ¼ã§åˆ©ç”¨ã™ã‚‹è¨¼æ˜Žæ›¸ã‚’æ›´æ–°ã§ãã¾ã™ã€‚ --source-cert-arnã€--dest-cert-arnã¯ ./aws-cert-utils elb bulk-update ã¨åŒæ§˜ã§ã™ã€‚

$ ./aws-cert-utils elb bulk-update --source-cert-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --dest-cert-arn arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Dry run mode

Updated test-elb:443 arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -> arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Updated test2-elb:443 arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -> arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

$ ./aws-cert-utils elb bulk-update --source-cert-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --dest-cert-arn arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --no-dry-run
Updated test-elb:443 arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -> arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Updated test2-elb:443 arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -> arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

$ ./aws-cert-utils elb list
+-----------+------+-------------------------------------------------------------------------------------+
|   NAME    | PORT |                              LISTENER SSL CERTIFICATE                               |
+-----------+------+-------------------------------------------------------------------------------------+
| test-elb  |  443 | arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+
| test2-elb |  443 | arn:aws:iam::xxxxxxxxxxxx:server-certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
+-----------+------+-------------------------------------------------------------------------------------+

CloudFront

ä¸€è¦§

./aws-cert-utils cloudfront list ã§ CloudFront ã® Distribution ã‚’ä¸€è¦§ã§ãã¾ã™ã€‚ --cert ã« IAM ã® Certificate ID ã‹ ACM ã® ARN ã‚’æŒ‡å®šã™ã‚‹ã“ã¨ã§ã€ç‰¹å®šã®è¨¼æ˜Žæ›¸ã‚’åˆ©ç”¨ã—ã¦ã„ã‚‹ Distribution ã ã‘ä¸€è¦§ã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚ ã¾ãŸã€--aliases ã«ãƒ‰ãƒ¡ã‚¤ãƒ³ã‚’æŒ‡å®šã™ã‚‹ã“ã¨ã§ã€ç‰¹å®šã® Aliases ã‚’æŒã¤ Distribution ã ã‘ä¸€è¦§ã§ãã¾ã™(ãŸã ã—ã€æ¤œç´¢æ¡ä»¶ã¨ã—ã¦è¤‡æ•°ãƒ‰ãƒ¡ã‚¤ãƒ³ã‚’æŒ‡å®šã™ã‚‹ã“ã¨ã¯ã§ãã¾ã›ã‚“)ã€‚

$ ./aws-cert-utils cloudfront list
+-----------------+------------------------------+-----------------------------------------------------------------+
| DISTRIBUTION ID |           ALIASES            |                         SSL CERTIFICATE                         |
+-----------------+------------------------------+-----------------------------------------------------------------+
| 11111111111111  | iam.example.com              | XXXXXXXXXXXXXXXXXXXXX | test-cert-name                          |
+-----------------+------------------------------+-----------------------------------------------------------------+
| 22222222222222  | iam2.example.com             | XXXXXXXXXXXXXXXXXXXXX | test-cert-name                          |
+-----------------+------------------------------+-----------------------------------------------------------------+

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

./aws-cert-utils cloudfront bulk-update ã§ Distribution ãŒåˆ©ç”¨ã™ã‚‹è¨¼æ˜Žæ›¸ã‚’æ›´æ–°ã§ãã¾ã™ã€‚ ç¾åœ¨åˆ©ç”¨ã—ã¦ã„ã‚‹è¨¼æ˜Žæ›¸ãŒ IAM ã®å ´åˆã¯ --source-iam-id ã§ Certification ID ã‚’ã€ACM ã®å ´åˆã¯ --source-acm-arn ã§ ACM ã® ARN ã‚’æŒ‡å®šã—ã¾ã™ã€‚ å¤‰æ›´ã™ã‚‹è¨¼æ˜Žæ›¸ãŒ IAM ã®å ´åˆã¯ --dest-iam-id ã« Certification ID ã‚’ã€ACM ã®å ´åˆã¯ --dest-acm-arn ã« ACM ã® ARN ã‚’æŒ‡å®šã—ã¾ã™ã€‚

$ ./aws-cert-utils cloudfront bulk-update --source-iam-id XXXXXXXXXXXXXXXXXXXXX --dest-acm-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Dry run mode

Updated 11111111111111 iam.example.com XXXXXXXXXXXXXXXXXXXXX -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Updated 22222222222222 iam2.example.com XXXXXXXXXXXXXXXXXXXXX -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

$ ./aws-cert-utils cloudfront bulk-update --source-iam-id XXXXXXXXXXXXXXXXXXXXX --dest-acm-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --no-dry-run
Updated 11111111111111 iam.example.com XXXXXXXXXXXXXXXXXXXXX -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Updated 22222222222222 iam2.example.com XXXXXXXXXXXXXXXXXXXXX -> arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

$ ./aws-cert-utils cloudfront list
+-----------------+------------------------------+-------------------------------------------------------------------------------------+
| DISTRIBUTION ID |           ALIASES            |                                   SSL CERTIFICATE                                   |
+-----------------+------------------------------+-------------------------------------------------------------------------------------+
| 11111111111111  | iam.example.com              | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+-----------------+------------------------------+-------------------------------------------------------------------------------------+
| 22222222222222  | iam2.example.com             | arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+-----------------+------------------------------+-------------------------------------------------------------------------------------+

ã¾ã¨ã‚

ALB / CLB / CloudFront ã§åˆ©ç”¨ã—ã¦ã„ã‚‹è¨¼æ˜Žæ›¸ã‚’ä¸€æ‹¬ã§æ›´æ–°ã™ã‚‹ aws-cert-utils ã®ç´¹ä»‹ã§ã—ãŸã€‚ ç¾åœ¨ã€å¼Šç¤¾ã§ã¯ ACM ã‹ã‚‰ç™ºè¡Œã—ãŸè¨¼æ˜Žæ›¸ã‚’åˆ©ç”¨ã—ã¦ã„ãªã„é–¢ä¿‚ã§æœ¬ãƒ„ãƒ¼ãƒ«ã‹ã‚‰ ACM è¨¼æ˜Žæ›¸ã®ãƒªã‚¯ã‚¨ã‚¹ãƒˆã‚’é€ã‚‹å‡¦ç†ã‚’å®Ÿè£…ã—ã¦ã„ã¾ã›ã‚“ãŒã€å®Ÿè£…ã—ãŸã„æ°—æŒã¡ã¯ã‚ã‚Šã¾ã™(Issue or Pull Request ãŠå¾…ã¡ã—ã¦ã„ã¾ã™)ã€‚

Kaizen Platform é–‹ç™ºè€…ãƒ–ãƒã‚°

AWS ä¸Šã§åˆ©ç”¨ã—ã¦ã„ã‚‹ SSL/TLS è¨¼æ˜Žæ›¸ã‚’ä¸€æ‹¬ç®¡ç†ã™ã‚‹ãƒ„ãƒ¼ãƒ« aws-cert-utils ã‚’ä½œã£ãŸè©±

TL;DR

èƒŒæ™¯

ä»Šã¾ã§ã®å•é¡Œç‚¹

aws-cert-utils ã®ä½¿ã„æ–¹

ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«

ä½¿ã„æ–¹

IAM

ä¸€è¦§

å‰Šé™¤

ACM

ã‚¤ãƒ³ãƒãƒ¼ãƒˆ

ä¸€è¦§

å‰Šé™¤

ALB

ä¸€è¦§

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

CLB

ä¸€è¦§

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

CloudFront

ä¸€è¦§

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

ã¾ã¨ã‚

TL;DR

èƒŒæ™¯

ä»Šã¾ã§ã®å•é¡Œç‚¹

aws-cert-utils ã®ä½¿ã„æ–¹

ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«

ä½¿ã„æ–¹

IAM

ä¸€è¦§

å‰Šé™¤

ACM

ã‚¤ãƒ³ãƒãƒ¼ãƒˆ

ä¸€è¦§

å‰Šé™¤

ALB

ä¸€è¦§

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

CLB

ä¸€è¦§

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

CloudFront

ä¸€è¦§

è¨¼æ˜Žæ›¸ä¸€æ‹¬æ›´æ–°

ã¾ã¨ã‚

ä»Šã¾ã§ã®å•é¡Œç‚¹

aws-cert-utils ã®ä½¿ã„æ–¹

ä½¿ã„æ–¹

ã‚¤ãƒ³ãƒãƒ¼ãƒˆ

ã¾ã¨ã‚