Introduction
AWS Certificate Manager (ACM) provides free TLS certificates for use directly by AWS services (e.g., CloudFront, Application Load Balancer). However, it cannot be used when you need to obtain key and certificate files for use directly on an EC2 instance (e.g., in nginx or apache). Using certbot with Route 53 is an alternative to ACM that can be automated and gives access to the certificate and key files, when the DNS for your server hostname/domain is managed by Route 53.
Prerequisites
- The domain for which you need certificates is configured as a Route 53 hosted zone in your AWS account.
How To
- Install certbot and the certbot Route 53 DNS plugin.
- E.g. for Ubuntu 22.04 using
apt
apt-get install certbot python3-certbot-dns-route53
- E.g. for Ubuntu 22.04 using
- Configure AWS credentials that have permissions required by the Route 53 plugin.
- Set
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
environment variables or otherwise setup a profile in your~/.aws/config
credentials configuration file.
- Set
- Create a certificate using the certbot CLI. In the example below, the AWS profile with Route 53 privileges in the
dns
profile:$ AWS_PROFILE=dns certbot certonly \ --non-interactive \ --dns-route53 \ --agree-tos \ --email abc123@cornell.edu \ --domain myserver.example.cucloud.net \ --cert-name mycert53 \ --verboseSaving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-route53, Installer None Requesting a certificate for myserver.example.cucloud.net Performing the following challenges: dns-01 challenge for myserver.example.cucloud.net Waiting for verification... Cleaning up challenges Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/mycert53/fullchain.pem Key is saved at: /etc/letsencrypt/live/mycert53/privkey.pem This certificate expires on 2024-09-01. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.
Notes
- The record that certbot creates in Route 53 seems to be automatically deleted once the certificate is validated.
- Certbot certificates validated with Route 53 have a 3-month lifespan.
- Certbot can optionally, automatically configure/install certificates for several types of web servers. The example here uses certbot just to create/renew certificates but see certbot documentation for web server integration options.
Renewal
You will need to ensure that the scheduled task that cerbot
creates on your system can run successfully to ensure the certificate is renewed automatically, or you will need to trigger renewal some other way before your certificate expires.
You can test whether renewal would work using the following:
$ AWS_PROFILE=dns certbot renew --dns-route53 --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/mycert53.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for myserver.example.cucloud.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/mycert53/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
References
- certbot
- AWS documentation