Generate Standalone SSL Certificate with Let’s Encrypt for AWS Route 53 using Docker

Scenario

• Have a domain name in AWS Route 53.
• Need to generate standalone certificate without web server. (In my case, the certificate is to be used for deploying Ops Manager using Terraform.)

TLDR

Use the following command to run certbot/dns-route53 Docker image to generate the certificate. Once successfully generated, find the file at <PUT_YOUR_LOCAL_DIR>/letsencrypt directory.

docker run -it --rm --name certbot \
    --env AWS_ACCESS_KEY_ID=<PUT_YOUR_OWN_ID> \
    --env AWS_SECRET_ACCESS_KEY=<PUT_YOUR_OWN_KEY> \
    --env AWS_SESSION_TOKEN=<PUT_YOUR_OWN_TOKEN> \
    -v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/etc/letsencrypt" \
    -v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/var/lib/letsencrypt" \
    certbot/dns-route53 certonly \
    -d my-subdomain.example.com \
    -d '*.sys.my-subdomain.example.com' \
    -d '*.login.sys.my-subdomain.example.com' \
    -d '*.uaa.sys.my-subdomain.example.com' \
    -d '*.apps.my-subdomain.example.com' \
    -m <PUT_YOUR_EMAIL> \
    --agree-tos --server https://acme-v02.api.letsencrypt.org/directory

Notes

1. If you are not using MFA for AWS CLI, can omit AWS_SESSION_TOKEN.
2. Consider using --env-file to pass the AWS credentials instead of clear text.
3. -v mounts a local directory to the Docker container, that’s how the certificate files are created at <PUT_YOUR_LOCAL_DIR>/letsencrypt. Note that this above sample is for Linux/macOS; the path syntax for Windows would be different.
4. --agree-tos is for automatically agreeing to the terms and conditions.
5. Use --server https://acme-v02.api.letsencrypt.org/directory only if you are generating a wildcard certificate.

Renew Certificate

Let’s Encrypt certificate is only valid for 90 days. To automate the renewal, you can use the same certbot/dns-route53 image and run renew command.

docker run -it --rm --name certbot \
    --env AWS_ACCESS_KEY_ID=<PUT_YOUR_OWN_ID> \
    --env AWS_SECRET_ACCESS_KEY=<PUT_YOUR_OWN_KEY> \
    --env AWS_SESSION_TOKEN=<PUT_YOUR_OWN_TOKEN> \
    -v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/etc/letsencrypt" \
    -v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/var/lib/letsencrypt" \
    certbot/dns-route53 renew \
    --agree-tos --server https://acme-v02.api.letsencrypt.org/directory

References

More comprehensive explanations can be found in references below.

1. Automating Certificates with Certbot in Docker, https://coderevolve.com/certbot-in-docker/
2. Certbot — Running with Docker, https://certbot.eff.org/docs/install.html#running-with-docker
3. Let’s Encrypt Wildcard Certificate Configuration with AWS Route 53, https://medium.com/prog-code/lets-encrypt-wildcard-certificate-configuration-with-aws-route-53-9c15adb936a7