Mike Milligan and the Kitchen brothers
Here is a quick tutorial on how you can create free SSL certificates for your AWS deployments.
If you’re on AWS and hosting a large workload, you can actually get free certificates from Amazon by using their Certificate Manager. However these certificates can only be attached to an AWS Load Balancer, an API Gateway instance or a CloudFront distribution.
For small Laravel staging deployments that don’t require a load balancer because you just need one front-end server, it is then not worth the overhead cost as a Load Balancer comes at around $17 per month, depending on the region.
On the other hand, Let’s Encrypt offers a free Certificate Authority service, which means it will sign SSL/TLS certificates for free. The downside is that they expire every 90 days and also the procedure to create these certificates can be laborious. Indeed, you need to prove that you have control over a domain before receiving your certificates, for example by deploying a Nginx server with a validation file on that domain. It’s time-consuming and it’s a pain.
I will show you instead how you can create a Let’s Encrypt certificate for AWS, directly from your development machine, in two command lines.
Requirements: — having the AWS CLI installed and configured — having Certbot installed on your machine : brew install certbot
— having your domain name registered as a hosted zone in Route53 in your AWS account
Copy the below script in your current directory using the command:wget [https://gist.githubusercontent.com/li0nel/4563f8d909e808169c91a5521569ff10/raw/cb1396d07eb91700642b27a4cd92e335498c03ca/auth-hook.sh](https://gist.githubusercontent.com/li0nel/4563f8d909e808169c91a5521569ff10/raw/cb1396d07eb91700642b27a4cd92e335498c03ca/auth-hook.sh) -O ./auth-hook.sh && chmod +x auth-hook.sh
This will create an executable script that uses the AWS CLI to insert a TXT record in your Route53 DNS records.
The TXT record is then used by Let’s Encrypt servers to verify that you control the domain, by querying the DNS servers for that domain.
In the same directory, execute the below command, after replacing your_domain.com
by your actual domain name and the email by your appropriate email address. Note that this will generate a certificate both for your_domain.com
and www.your_domain.com
. You can add as many subdomains AFAIK however Let’s Encrypt does not support wildcard certificates.
This might take a couple minutes, but eventually your certificates will be created in a /letsencrypt
directory.
For Nginx, the ssl_certificate file you are looking for is fullchain.pem
and the ssl_certificate_key is privkey.pem
.
Here you go! It took two command lines as promised, and a lot less headache than usual.
Lionel is Chief Technology Officer of London-based startup Wi5 and author of the Future-Proof Engineering Culture course. You can reach out to him on https://getlionel.com