rodo
/
route53-wildcard-certbot
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
23 KiB
 
 
Tree: 3b4f57a715
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3b4f57a715'
${ noResults }
route53-wildcard-certbot/README.md

3.1 KiB
Raw Blame History

Route53 Wildcard Certbot

A custom certbot image for a one time non-interactive generation of the required certificates relying on the Route53 DNS certbot challenge

How to use

Prerequisites

Make sure to define the following:

Env variables on the docker-compose.yml file

  • CERTBOT_EMAIL : The email that will be used when requesting the certificate.
  • DOMAIN : The domain name for which the certificate will be requested.

Define a aws_config file with valid AWS credentials for API access. The identity associated with those credentials should be able to perform these actions:

  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets

Check the documentation for certbot-dns-route53

Execution

By using docker compose up the TLS certificate will be requested and the files for NGINX left under the output folder.

This is a sample output for an execution:

$ docker compose up
Creating network "route53-wildcard-certbot_default" with the default driver
Creating route53-wildcard-certbot_certbot_1 ... done
Attaching to route53-wildcard-certbot_certbot_1
certbot_1  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot_1  | Account registered.
certbot_1  | Requesting a certificate for mydomain.com and *.mydomain.com
certbot_1  | 
certbot_1  | Successfully received certificate.
certbot_1  | Certificate is saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem
certbot_1  | Key is saved at:         /etc/letsencrypt/live/mydomain.com/privkey.pem
certbot_1  | This certificate expires on 2024-11-25.
certbot_1  | These files will be updated when the certificate renews.
certbot_1  | NEXT STEPS:
certbot_1  | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
certbot_1  | 
certbot_1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot_1  | If you like Certbot, please consider supporting our work by:
certbot_1  |  * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
certbot_1  |  * Donating to EFF:                    https://eff.org/donate-le
certbot_1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot_1  | Certificate obtained successfully. Copying files to output path.
certbot_1  | Changing owner of files to 1000:1000
route53-wildcard-certbot_certbot_1 exited with code 0

Technical details on what happens under the hood

In order for the certbot utility to generate a certificate in a way that doesn’t require public internet access, certbot is able to use the strategy of DNS challenge check to make sure one is in control of the domain name.

So it requires access to the API in order to create a TXT entry on a certain domain on Route53 have it be validated by Let’s Encrypt and determine one can get the certificate.

For that to work a new IAM user with API access that only has the permissions Certbot needs to work has been defined.