Today,
I am working on installing our wildcard SSL certificate on a lot of internal services in AWS but was being haunted by the following error:
A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is in PEM format.
This is a brand new SSL just issued from our CA provider so I was lost to why this wasn’t working. Well it seems that unlike every other script ever written (at least in the Linux world) the aws cli tool used to upload the SSL certificate to the IAM service requires weird file:// before each option.
What I was trying before
(venv)[mharris@mori ssl]$ aws iam upload-server-certificate \
--server-certificate-name wildcard-domain-com \
--certificate-body __domain_com.crt-new \
--private-key wildcard.domain.key \
--certificate-chain __domain_com.ca-bundle
A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is in PEM format.
The right way to do it
(venv)[mharris@mori ssl]$ aws iam upload-server-certificate \
--server-certificate-name wildcard-domain-com \
--certificate-body file://__domain_com.crt \
--private-key file://wildcard.domain.key \
--certificate-chain file://__domain_com.ca-bundle
{
"ServerCertificateMetadata": {
"Path": "/",
"Arn": "arn:aws:iam::<acct_id_censor>:server-certificate/wildcard-domain-com",
"Expiration": "2019-01-27T23:59:59Z",
"ServerCertificateName": "wildcard-domain-com",
"UploadDate": "2016-01-28T15:37:54.336Z",
"ServerCertificateId": "<cid_censor>"
}
}
Hopefully this saves someone the 10 minutes of Googling I had to do to find out what was wrong. If only someone had used proper input validation on their script to let users know what the problem was vs raising an error about an improper formatted script. Well, I digress.
Tell your friends...