ACMの更新の連絡がきたので対応しました。


「Action Required – Your certificate renewal」という件名のメールが届きました。

メールの本文はこちらです。

Greetings from Amazon Web Services,

You have an AWS Certificate Manager (ACM) SSL/TLS certificate in your AWS account that expires on May 28, 2019 at 12:00:00 UTC. That certificate includes the primary domain blog.star-flare.com and a total of 1 domains.

AWS account ID: 123456789012
AWS Region name: us-east-1
Certificate identifier: arn:aws:acm:us-east-1:123456789012:certificate/AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE

ACM was unable to automatically renew your certificate. The domain owner or someone authorized by the domain owner must take one of the following actions before May 28, 2019 at 12:00:00 UTC. If no action is taken, the certificate will expire, which might cause your website or application to become unreachable.

1. If you can write records into your DNS configuration, create and install DNS-validated certificates to replace all of your existing email-validated certificates. After you add a CNAME record to your DNS configuration, ACM can automatically renew your certificate as long as the record remains in place. You can learn more about DNS validation in the ACM User Guide.[1]

2. If you want to continue using email validation to renew this certificate, the domain owners must use the approval link that was sent in a separate validation request email. That email was last sent on Apr 13, 2019 at 12:38:10 UTC. The link in that email is valid for three days from the time the email was sent. If you did not use the link within three days, go to the ACM console to have AWS resend the validation email. For instructions, see the AWS Support website.[2]

If you have questions about this process, contact the AWS Support Center[3]. If you don’t have an AWS support plan, post a new thread in the AWS Certificate Manager discussion forum.[4]

[1] https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html
[2] https://aws.amazon.com/premiumsupport/knowledge-center/resend-email-ssl/.
[3] https://console.aws.amazon.com/support
[4] https://forums.aws.amazon.com/forum.jspa?forumID=206
Sincerely,
Amazon Web Services

ACMを更新します。

新しい証明書を作成します。

古いのはemailでの認証をしており、whois公開を外す手間がありましたので
新しいのはDNS認証に変更しました。楽チンです。

AWS CLIで更新します。

configファイルを作成します。

aws cloudfront --region us-east-1 get-distribution-config --id "AAAAAAAAAAAAAA" | jq '.DistributionConfig' > AAAAAAAAAAAAAA-us-east-1.conf

configファイルを編集します。

$ vscode ./AAAAAAAAAAAAAA-us-east-1.conf
ACMCertificateArnCertificateARNを新しく発行したものに編集します。
ViewerCertificateの部分を変更しました。
  "ViewerCertificate": {
    "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/NEWAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE",
    "SSLSupportMethod": "sni-only",
    "MinimumProtocolVersion": "TLSv1.1_2016",
    "Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/NEWAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE",
    "CertificateSource": "acm"
  },

ETagを確認して、保存します。

aws cloudfront --region us-east-1 get-distribution-config --id "AAAAAAAAAAAAAA" | jq '.ETag'

ETagを使って、更新します。

EEEEEEEEEEEEは取得したETagです。
aws cloudfront --region us-east-1 update-distribution --id "AAAAAAAAAAAAAA" --distribution-config file://AAAAAAAAAAAAAA-us-east-1.conf --if-match EEEEEEEEEEEE

これで終了です。

古い証明書は、しばらくしたら破棄する予定です。

まとめ

AWSからの通知の対処はしっかりとやっておきましょう。