Free SSL Certificate using ACME Protocol Let’s Encrypt on AWS Free Tier.

One day you are setting up a new website for your personal blog that you are doing as part of your ‘online profile’ or resume to get noticed by employees. You are broke and decided to try out AWS services for 1 year for free to set up your new blog. You created the website templates, setup the NGINX/Apache Webserver, Database, used the Route 53 as your DNS, and any linux as your OS and all the other necessary dependency for your blog to run. Route53 DNS has a $9 TLD domain for .uk

See full list of prices on Route53 Domain registration below:

You were running the $9 usd .uk domain

Then after a month of handing out your resume and applying on job boards, you got a response. The response reads ‘I love your blog but just a suggestion why not use https to show off your skills after all its 2017 and everyone needs to have security online also I’m getting this screen whenever I try to visit your site’

Ahm Ok. You thought to yourself ‘basically I need to add a security right?’ Piece of cake!

You try to dig around the internet to see which sites can give you free SSL certificate since you are broke and cannot afford your next lunch if you do decide to buy SSL certification.

What to do? let’s use let’s-encrypt protocol.

Since we are using route 53. We can use DNS Challenge to verify that we own the domain. We can use certbot

Drilling through the docs however you were unable to see a trivial way to do the DNS Challenge using AWS Route53.

Uhm some help?

Dehydrated to the rescue

Dehydrated wraps the complexity of ACME Protocol and implements a command line bash script that you can utilize in order to make your SSL/TLS certificate retrieval from Let’s Encrypt easier.

Simple enough right?

Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

--register Register account key
--cron (-c) Sign/renew non-existant/changed/expiring certificates.
--signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage)
--revoke (-r) path/to/cert.pem Revoke specified certificate
--cleanup (-gc) Move unused certificate files to archive directory
--help (-h) Show help text
--env (-e) Output configuration variables for use in other scripts

--accept-terms Accept CAs terms of service
--full-chain (-fc) Print full chain when using --signcsr
--ipv4 (-4) Resolve names to IPv4 addresses only
--ipv6 (-6) Resolve names to IPv6 addresses only
--domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!)
--keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
--no-lock (-n) Don't use lockfile (potentially dangerous!)
--lock-suffix Suffix lockfile name with a string (useful for with -d)
--ocsp Sets option in CSR indicating OCSP stapling to be mandatory
--privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation)
--config (-f) path/to/config Use specified config file
--hook (-k) path/to/ Use specified script for hooks
--out (-o) certs/directory Output certificates into the specified directory
--challenge (-t) http-01|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported
--algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

Ahm not so much. Dehydrated gives you lots of options and flexibility out of the box.

Current features:

  • Signing of a list of domains
  • Signing of a CSR
  • Renewal if a certificate is about to expire or SAN (subdomains) changed
  • Certificate revocation

The trade off is it will take a longer time to understand how it works with your application. So how do we proceed from here.


In order to easily integrate your application with Route53 DNS Challenge*. I built a small library that helps you seamlessly integrate with your application

How to use it?

# Accept Dehydrated terms 
git clone
# Add your IAM AccessKey and Secret Key on the .aws directory where you cloned the route53-ssl
./dehydrated --register --accept-terms
./ #answer the questions

# the certificate will be on the certs/{domain} directory

That’s it. Now you have certificate on /certs directory. Just the little matter of using it.



SSLEngine On
SSLCertificateFile $cloned_dir/ssl-autobot/certs/
SSLCertificateKeyFile $cloned_dir/ssl-autobot/certs/


server {
listen 443 ssl;
ssl_certificate $cloned_dir/ssl-autobot/certs/;
ssl_certificate_key $cloned_dir/ssl-autobot/certs/;

Now reload your nginx/apache then you are good to go.

To check

Hit F12 then go to security > overview > view-certificate 

If you see Issued by: Let’ Encrypt Authority XX then you are golden

Let me know if you have questions below thanks!

More by kenichi

Topics of interest

More Related Stories