Custom SSL certificate with Letsencrypt, ACM & Route53 powered by certbot
Letsencrypt makes it easy to request an SSL certificate from the command line. The certbot
tool is powerful, flexible and (thankfully) dockerized. There are a multitude of available plugins, expanding its utility.
If you are going to use certbot
to request a certificate you will have to “verify ownership” of your domain. There are several ways to do this, such as running a throw away server, serving a file from an S3
bucket or setting a TXT
record.
AWS has a certificate management product (ACM
) that integrates with their ecosystem of services. Since we are generating a certificate with certbot we will use ACM to import it.
Generate the Certificate
$ docker run -it -rm -v letsencrypt:/etc/letsencrypt certbot/dns-route53 certonly -n --dns-route53 --agree-tos --email address@example.com --domains my-cool-domain.example.com
Providing you have the appropriate access to the related AWS resources, specifically Route53 and ACM, you should see output confirming that your domain verification was successful and your cert files have been generated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for my-cool-domain.example.com
Waiting for verification...
Cleaning up challengesIMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/my-cool-domain.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/my-cool-domain.example.com/privkey.pem
Your cert will expire on 2020-02-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Its important to keep in mind that there are rate-limits related to requesting certs, make sure you read up!
Import the Certificate with ACM
Now that the files have been generated the can be passed to the aws acm cli tool, importing the new certificate and making it available for use.
$ aws acm import-certificate --certificate "letsencrypt/cert.pem" --private-key "letsencrypt/privkey.pem" --certificate-chain "letsencrypt/fullchain.pem"
Conclusion
Since you’ve generated and uploaded the certificate yourself you will have to manage its expiration. You can re-run these two steps, wrapped in a bash script via a scheduled job (cron
, AWS Lambda
with a Cloudwatch
timer, etc), or include them within a CI/CD pipeline.