Generate CA-signed certificate using LetsEncrypt and Certbot

When developing web sites, we always facing connections not secured issues on the client browser. The few reasons for that is because the connection is not on https or the certificate used within https channel, not from valid CA based on browser point of view.

In the development environment, we may use the self-signed CA to generate SSL certificates to simulate the mutual authentication within our backends. This article is focused on production environments therefore the valid CA is required to prevent the browser complaint.

The best practice is to generate the key and secret using the computer different from your application nodes. You may consider using your laptop for test purposes. However, to make it more flexible and applicable for more users viewing this article. I am going to start up the new AWS EC2 instance to get the job done.

I will skip the steps to create EC2 instance here but you can read my previous articles on how to do that.

The AMI used would be Ubuntu 20.04 with the t2-micro instance type. Once the instance is up and you are able to ssh into the server, follow the steps below.

According to official documentation, we have to run the following commands first to enable the Ubuntu universe.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo apt-get update

Then install Certbot

sudo apt-get install certbot

Now we can run the Certbot to get the certificates based on the settings below, notice that we use manual and dns option on preferred-challenges here. Therefore, we can generate the certificate and validate the domain without using any web server.

sudo certbot certonly \
    --manual \
    --preferred-challenges=dns \
    --email yourname@gmail.com \
    --agree-tos \
    --config-dir ./config \
    --logs-dir ./logs \
    --work-dir ./workdir \
    -d *.examples.com

After that certbot will ask to place a TXT DNS record under your domain name like

_acme-challenge.example.com TXT “psdfSdfZd_Zma5rNBHCTIaFkptclAr_4c4”

The verification will be done under a few seconds and the generated key and secret will be placed under your domain name folder. You can import the certificate to ACM and use it later for other AWS resources like Load Balancer and CloudFront. Or import to Java Keystore when you are developing Java applications.