Generate Standalone SSL Certificate with Let’s Encrypt for AWS Route 53 using Docker

Wai Loon
w:Logs
Published in
2 min readAug 20, 2020

Scenario

TLDR

Use the following command to run certbot/dns-route53 Docker image to generate the certificate. Once successfully generated, find the file at <PUT_YOUR_LOCAL_DIR>/letsencrypt directory.

docker run -it --rm --name certbot \
--env AWS_ACCESS_KEY_ID=<PUT_YOUR_OWN_ID> \
--env AWS_SECRET_ACCESS_KEY=<PUT_YOUR_OWN_KEY> \
--env AWS_SESSION_TOKEN=<PUT_YOUR_OWN_TOKEN> \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/etc/letsencrypt" \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/var/lib/letsencrypt" \
certbot/dns-route53 certonly \
-d my-subdomain.example.com \
-d '*.sys.my-subdomain.example.com' \
-d '*.login.sys.my-subdomain.example.com' \
-d '*.uaa.sys.my-subdomain.example.com' \
-d '*.apps.my-subdomain.example.com' \
-m <PUT_YOUR_EMAIL> \
--agree-tos --server https://acme-v02.api.letsencrypt.org/directory

Notes

  1. If you are not using MFA for AWS CLI, can omit AWS_SESSION_TOKEN.
  2. Consider using --env-file to pass the AWS credentials instead of clear text.
  3. -v mounts a local directory to the Docker container, that’s how the certificate files are created at <PUT_YOUR_LOCAL_DIR>/letsencrypt. Note that this above sample is for Linux/macOS; the path syntax for Windows would be different.
  4. --agree-tos is for automatically agreeing to the terms and conditions.
  5. Use --server https://acme-v02.api.letsencrypt.org/directory only if you are generating a wildcard certificate.

Renew Certificate

Let’s Encrypt certificate is only valid for 90 days. To automate the renewal, you can use the same certbot/dns-route53 image and run renew command.

docker run -it --rm --name certbot \
--env AWS_ACCESS_KEY_ID=<PUT_YOUR_OWN_ID> \
--env AWS_SECRET_ACCESS_KEY=<PUT_YOUR_OWN_KEY> \
--env AWS_SESSION_TOKEN=<PUT_YOUR_OWN_TOKEN> \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/etc/letsencrypt" \
-v "<PUT_YOUR_LOCAL_DIR>/letsencrypt:/var/lib/letsencrypt" \
certbot/dns-route53 renew \
--agree-tos --server https://acme-v02.api.letsencrypt.org/directory

References

More comprehensive explanations can be found in references below.

  1. Automating Certificates with Certbot in Docker, https://coderevolve.com/certbot-in-docker/
  2. Certbot — Running with Docker, https://certbot.eff.org/docs/install.html#running-with-docker
  3. Let’s Encrypt Wildcard Certificate Configuration with AWS Route 53, https://medium.com/prog-code/lets-encrypt-wildcard-certificate-configuration-with-aws-route-53-9c15adb936a7

--

--