diff --git a/README.md b/README.md new file mode 100644 index 0000000..217a200 --- /dev/null +++ b/README.md @@ -0,0 +1,64 @@ +# Route53 Wildcard Certbot + +A custom certbot image for a one time non-interactive generation of the required certificates relying on the Route53 DNS certbot challenge + +## How to use + +### Prerequisites + +Make sure to define the following: + +Env variables on the docker-compose.yml file + +- `CERTBOT_EMAIL` : The email that will be used when requesting the certificate. +- `DOMAIN` : The domain name for which the certificate will be requested. + +Define a `aws_config` file with valid AWS credentials for API access. The identity associated with those credentials should be able to perform these actions: + +- `route53:ListHostedZones` +- `route53:GetChange` +- `route53:ChangeResourceRecordSets` + +[Check the documentation for certbot-dns-route53](https://certbot-dns-route53.readthedocs.io/en/stable/) + +### Execution + +By using `docker compose up` the TLS certificate will be requested and the files for NGINX left under the `output` folder. + +This is a sample output for an execution: + + +``` +$ docker compose up +Creating network "route53-wildcard-certbot_default" with the default driver +Creating route53-wildcard-certbot_certbot_1 ... done +Attaching to route53-wildcard-certbot_certbot_1 +certbot_1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log +certbot_1 | Account registered. +certbot_1 | Requesting a certificate for mydomain.com and *.mydomain.com +certbot_1 | +certbot_1 | Successfully received certificate. +certbot_1 | Certificate is saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem +certbot_1 | Key is saved at: /etc/letsencrypt/live/mydomain.com/privkey.pem +certbot_1 | This certificate expires on 2024-11-25. +certbot_1 | These files will be updated when the certificate renews. +certbot_1 | NEXT STEPS: +certbot_1 | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. +certbot_1 | +certbot_1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +certbot_1 | If you like Certbot, please consider supporting our work by: +certbot_1 | * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate +certbot_1 | * Donating to EFF: https://eff.org/donate-le +certbot_1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +certbot_1 | Certificate obtained successfully. Copying files to output path. +certbot_1 | Changing owner of files to 1000:1000 +route53-wildcard-certbot_certbot_1 exited with code 0 +``` + +## Technical details on what happens under the hood + +In order for the certbot utility to generate a certificate in a way that doesn’t require public internet access, certbot is able to use the strategy of DNS challenge check to make sure one is in control of the domain name. + +So it requires access to the API in order to create a TXT entry on a certain domain on Route53 have it be validated by Let’s Encrypt and determine one can get the certificate. + +For that to work a new IAM user with API access that only has the permissions Certbot needs to work has been defined.