A short Ruby script to push a Let's Encrypt certificate to AWS Cloudfront (via IAM). Also configures the distribution to use the newly uploaded certificate.

letsencrypt-cf-updater.rb

#!/usr/bin/env ruby

require "aws-sdk" # Ruby AWS SDK '~> 2'

cloudfront = Aws::CloudFront::Client.new
iam = Aws::IAM::Client.new

distribution_id = "..."       # Add your Cloudfront distribution ID here
certificate_base_name = "..." # A prefix for the certificate name on CF

certificate_name  = "#{certificate_base_name}_#{Date.today.iso8601}"
certificate_body  = File.read("/etc/letsencrypt/live/example.com/cert.pem")
private_key       = File.read("/etc/letsencrypt/live/example.com/privkey.pem")
certificate_chain = File.read("/etc/letsencrypt/live/example.com/chain.pem")

iam_resp = iam.upload_server_certificate({
  path: "/cloudfront/",
  server_certificate_name: certificate_name,
  certificate_body: certificate_body,
  private_key: private_key,
  certificate_chain: certificate_chain,
})

if iam_resp.successful?
  certificate_id = iam_resp.server_certificate_metadata.server_certificate_id

  cf_resp = cloudfront.get_distribution_config({
    id: distribution_id,
  })

  if cf_resp.successful?
    cf_resp.distribution_config.viewer_certificate.certificate = certificate_id
    cf_resp.distribution_config.viewer_certificate.certificate_source = "iam"
    cf_resp.distribution_config.viewer_certificate.ssl_support_method = "sni-only"
    cf_resp.distribution_config.viewer_certificate.iam_certificate_id = certificate_id

    update_resp = cloudfront.update_distribution({
      id: distribution_id,
      distribution_config: cf_resp.distribution_config,
      if_match: cf_resp.etag
    })
  end
end