Bootstrap FreeKB - Certbot - Create wildcard public private key pair using Amazon Web Services (AWS) Route 53
Certbot - Create wildcard public private key pair using Amazon Web Services (AWS) Route 53
Updated:   |  Certbot articles

This assumes you have installed Certbot.

You will need the certbot-dns-route53 plugin. Check out my article on Certbot Installing DNS Plugins.

Your Amazon Web Services (AWS) credentials file (e.g. /home/john.doe/.aws/credentials) will need the Access Key and Secret Key of an AWS Identity and Access Management (IAM) user that has an attached policy that at the bare minimum has the following policy document, replacing Z123456789ABCDEFGHIJ with the actual ID of the AWS Hosted Zone that maps to the DNS name of the SSL certificate (e.g. example.com). Check out my article on Creating IAM Access Keys using the AWS CLI

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"route53:ListResourceRecordSets",
				"route53:ChangeResourceRecordSets"
			],
			"Resource": "arn:aws:route53:::hostedzone/Z123456789ABCDEFGHIJ"
		},
		{
			"Effect": "Allow",
			"Action": [
				"route53:GetChange",
				"route53:ListHostedZones"
			],
			"Resource": "*"
		}
	]
}

 

Probably the most common way to access the AWS Access Key and Secret Key is to Set Profile Config using the AWS CLI on that system that certbot was installed on and then set the AWS_PROFILE environment variable to contain the name of the profile in the credentials file. For example, let's say you have a profile named certbot in your AWS credentials file that contains the Secret Key and Access Key of an IAM user to has the above example policy document.

[certbot]
aws_access_key_id = *****
aws_secret_access_key = *****

 

In this scenario, you could export the AWS_PROFILE variable so that it contains a value of certbot so that the certbot profile in the AWS credentials file is used.

export AWS_PROFILE=certbot

 

Check out my article on Listing IAM Policies using the AWS CLI and Attaching IAM Policies to a User using the AWS CLI.

~]$ aws iam list-attached-user-policies --user-name certbot
{
    "AttachedPolicies": [
        {
            "PolicyName": "my-certbot-policy",
            "PolicyArn": "arn:aws:iam::aws:policy/my-certbot-policy"
        }
    ]
}

 

Let's say your Route 53 domain name is example.com. Check out my article on Listing Route 53 Domains using the AWS CLI.

~]$ aws route53domains list-domains
{
    "Domains": [
        {
            "DomainName": "example.com",
            "AutoRenew": false,
            "TransferLock": false,
            "Expiry": "2024-03-15T20:48:06.797000-05:00"
        }
    ]
}

 

Let's create directories for the logs and files that will be used and created.

mkdir --parents /usr/local/certbot/config
mkdir --parents /usr/local/certbot/logs
mkdir --parents /usr/local/certbot/working

 

You may need to update the directories to be owned by a certain user.

sudo chown ec2-user /usr/local/certbot
sudo chgrp ec2-user /usr/local/certbot
sudo chown -R ec2-user /usr/local/certbot
sudo chgrp -R ec2-user /usr/local/certbot

 

You should be able to use the certbot certonly command with --dns-route53 to request a new certificate where --domain matches your Route 53 Domain Name.

AVOID TROUBLE

Do not use sudo as this will tell Certbot to use /root/.aws/config and /root/.aws/credentials or to ignore AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY that were set as your local user

certbot certonly \
--dns-route53 \
--keep-until-expiring \
--non-interactive \
--expand \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -m john.doe@example.com \
--logs-dir /usr/local/certbot/logs \
--work-dir /usr/local/certbot/working/ \
--config-dir /usr/local/certbot/config/ \
--domains "example.com" \
--domains "*.example.com"

 

Something like this should be returned.

Saving debug log to /usr/local/certbot/logs/letsencrypt.log
Requesting a certificate for example.com and *.example.com

Successfully received certificate.
Certificate is saved at: /usr/local/certbot/live/example.com/fullchain.pem
Key is saved at:         /usr/local/certbot/live/example.com/privkey.pem
This certificate expires on 2023-10-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

And the openssl command can be used to view the details of the fullchain.pem file.

~]$ openssl x509 -in /usr/local/certbot/config/live/example.com/fullchain.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:8f:3c:fe:b9:37:87:cf:d0:4a:f1:4d:70:b4:f1:ad:cd:15
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=Let's Encrypt, CN=E5
        Validity
            Not Before: Jun 10 05:12:50 2024 GMT
            Not After : Sep  8 05:12:49 2024 GMT

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter ec396f in the box below so that we can be sure you are a human.