#place in /etc/letsencrypt/renewal-hooks/post

export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=XXX
#certs must be in us-east-1 to use with cloudfront
export AWS_DEFAULT_REGION=us-east-1

#run without --certificate-arn first time then specify arn for updates
aws acm import-certificate --certificate file:///etc/letsencrypt/live/site.com/cert.pem --private-key file:///etc/letsencrypt/live/site.com/privkey.pem --certificate-chain file:///etc/letsencrypt/live/site.com/chain.pem  --certificate-arn specifyarnforupdate