Generate Standalone SSL Certificate with Let’s Encrypt for AWS Route 53 using Docker
Scenario
- Have a domain name in AWS Route 53.
- Need to generate standalone certificate without web server. (In my case, the certificate is to be used for deploying Ops Manager using Terraform.)
TLDR
Use the following command to run certbot/dns-route53
Docker image to generate the certificate. Once successfully generated, find the file at <PUT_YOUR_LOCAL_DIR>/letsencrypt
directory.
docker run -it --rm --name certbot \
--env AWS_ACCESS_KEY_ID=<PUT_YOUR_OWN_ID> \
--env AWS_SECRET_ACCESS_KEY=<PUT_YOUR_OWN_KEY> \
--env AWS_SESSION_TOKEN=<PUT_YOUR_OWN_TOKEN> \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/etc/letsencrypt" \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/var/lib/letsencrypt" \
certbot/dns-route53 certonly \
-d my-subdomain.example.com \
-d '*.sys.my-subdomain.example.com' \
-d '*.login.sys.my-subdomain.example.com' \
-d '*.uaa.sys.my-subdomain.example.com' \
-d '*.apps.my-subdomain.example.com' \
-m <PUT_YOUR_EMAIL> \
--agree-tos --server https://acme-v02.api.letsencrypt.org/directory
Notes
- If you are not using MFA for AWS CLI, can omit
AWS_SESSION_TOKEN
. - Consider using
--env-file
to pass the AWS credentials instead of clear text. -v
mounts a local directory to the Docker container, that’s how the certificate files are created at<PUT_YOUR_LOCAL_DIR>/letsencrypt
. Note that this above sample is for Linux/macOS; the path syntax for Windows would be different.--agree-tos
is for automatically agreeing to the terms and conditions.- Use
--server https://acme-v02.api.letsencrypt.org/directory
only if you are generating a wildcard certificate.
Renew Certificate
Let’s Encrypt certificate is only valid for 90 days. To automate the renewal, you can use the same certbot/dns-route53
image and run renew
command.
docker run -it --rm --name certbot \
--env AWS_ACCESS_KEY_ID=<PUT_YOUR_OWN_ID> \
--env AWS_SECRET_ACCESS_KEY=<PUT_YOUR_OWN_KEY> \
--env AWS_SESSION_TOKEN=<PUT_YOUR_OWN_TOKEN> \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/etc/letsencrypt" \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/var/lib/letsencrypt" \
certbot/dns-route53 renew \
--agree-tos --server https://acme-v02.api.letsencrypt.org/directory
References
More comprehensive explanations can be found in references below.
- Automating Certificates with Certbot in Docker, https://coderevolve.com/certbot-in-docker/
- Certbot — Running with Docker, https://certbot.eff.org/docs/install.html#running-with-docker
- Let’s Encrypt Wildcard Certificate Configuration with AWS Route 53, https://medium.com/prog-code/lets-encrypt-wildcard-certificate-configuration-with-aws-route-53-9c15adb936a7