Skip to content

Tool to obtain certs from Let's Encrypt using DNS-01 challenge with Route53 and Amazon Certificate Manager

Notifications You must be signed in to change notification settings

begmaroman/acme-dns-route53

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

acme-dns-route53 is the tool for obtaining SSL certificates from Let's Encrypt CA using DNS-01 challenge with Route53 and Amazon Certificate Manager by AWS.

Features:

  • Register with CA
  • Creating the initial server certificate
  • Renewing already existing certificates
  • Support DNS-01 challenge using Route53 by AWS
  • Store certificates into ACM by AWS
  • Managing certificates of multiple domains within one request
  • Build-in AWS Lambda tolerance

Installation:

Make sure that GoLang already installed

go install github.com/begmaroman/acme-dns-route53

Credentials:

Use of this tool requires a configuration file containing Amazon Web Services API credentials for an account with the following permissions:

  • sns:Publish (optional)
  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets
  • acm:ImportCertificate
  • acm:ListCertificates
  • acm:DescribeCertificate

These permissions can be captured in an AWS policy like the one below. Amazon provides information about managing access and information about the required permissions

Example AWS policy file:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "acm:ImportCertificate",
                "acm:ListCertificates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "sns:Publish",
                "route53:GetChange",
                "route53:ChangeResourceRecordSets",
                "acm:ImportCertificate",
                "acm:DescribeCertificate"
            ],
            "Resource": [
                "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:*",
                "arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>",
                "arn:aws:route53:::change/*",
                "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
            ]
        }
    ]
}

The access keys for an account with these permissions must be supplied in one of the following ways:

  • Using the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
  • Using a credentials configuration file at the default location, ~/.aws/config.
  • Using a credentials configuration file at a path supplied using the AWS_CONFIG_FILE environment variable.

Example credentials config file:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Usage:

  • Domains (required) - use --domains flag to determine comma-separated domains list, certificates of which should be obtained. Example:

    $ acme-dns-route53 obtain --domains=testserver.com,testserver1.com,testserver2.com --email=<email>
  • Let's Encrypt Email (required) - use --email flag to determine Let's Encrypt account email. If account's private key is not provided, registers a new account. Private key expected by path <config-dir>/<email>.pem. Example:

    Path: /tmp/letsencrypt/[email protected]

    Content:

    -----BEGIN RSA PRIVATE KEY-----
    somecontentoftheprivatekey
    -----END RSA PRIVATE KEY-----
    
  • Let’s Encrypt ACME server - defaults to communicating with the production Let’s Encrypt ACME server. If you'd like to test something without issuing real certificates, consider using --staging flag:

    $ acme-dns-route53 obtain --staging --domains=<domains> --email=<email>
  • Configuration directory - defaults the configuration data storing in the current directory (where the CLI runs). If you'd like to change config directory, set the desired path using --config-dir flag:

    $ acme-dns-route53 obtain --config-path=<config-dir-path> --domains=<domains> --email=<email>
  • SNS Notification topic - if you'd like to send a notification to SNS, provide SNS Topic ARN using --topic flag:

    $ acme-dns-route53 obtain --domains=<domains> --email=<email> --topic=arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC_NAME>
  • Renew Before - is the number of days defining the period before expiration within which a certificate must be renewed:

    $ acme-dns-route53 obtain --domains=<domains> --email=<email> --renew-before=7

Usage by AWS Lambda:

For the latest information regarding usage by AWS Lambda see the instruction

Links:

Let's Encrypt Website: https://letsencrypt.org

Community: https://community.letsencrypt.org

Amazon Certificate Manager: https://aws.amazon.com/certificate-manager

Route53 by AWS: https://aws.amazon.com/route53

Lambda by AWS: https://aws.amazon.com/lambda

ACME spec: http://ietf-wg-acme.github.io/acme/

Dependencies:

Inspired by:

About

Tool to obtain certs from Let's Encrypt using DNS-01 challenge with Route53 and Amazon Certificate Manager

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published