One day you are setting up a new website for your personal blog that you are doing as part of your ‘online profile’ or resume to get noticed by employees. You are broke and decided to try out services for 1 year for free to set up your new blog. You created the website templates, setup the NGINX/Apache Webserver, Database, used the and all the other necessary dependency for your blog to run. Route53 DNS has a $9 TLD domain for .uk AWS Route 53 as your DNS, and any linux as your OS See full list of prices on Route53 Domain registration below: You were running the $9 usd .uk domain Then after a month of handing out your resume and applying on job boards, you got a response. The response reads ‘I love your blog but just a suggestion why not use to show off your skills after all its 2017 and everyone needs to have security online also I’m getting this screen whenever I try to visit your site’ https Ahm Ok. You thought to yourself ‘basically I need to add a security right?’ Piece of cake! You try to dig around the internet to see which sites can give you free certificate since you are broke and cannot afford your next lunch if you do decide to buy SSL certification. SSL What to do? let’s use let’s-encrypt protocol. _Let's Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security…_letsencrypt.org Let's Encrypt - Free SSL/TLS Certificates Since we are using We can use DNS Challenge to verify that we own the domain. We can use certbot route 53. _Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates._certbot.eff.org Certbot Drilling through the docs however you were unable to see a trivial way to do the DNS Challenge using AWS Route53. Uhm some help? Dehydrated to the rescue Dehydrated wraps the complexity of ACME Protocol and implements a command line bash script that you can utilize in order to make your SSL/TLS certificate retrieval from Let’s Encrypt easier. _dehydrated - letsencrypt/acme client implemented as a shell-script - just add water_github.com lukas2511/dehydrated Simple enough right? Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...Default command: helpCommands: --register Register account key --cron (-c) Sign/renew non-existant/changed/expiring certificates. --signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage) --revoke (-r) path/to/cert.pem Revoke specified certificate --cleanup (-gc) Move unused certificate files to archive directory --help (-h) Show help text --env (-e) Output configuration variables for use in other scriptsParameters: --accept-terms Accept CAs terms of service --full-chain (-fc) Print full chain when using --signcsr --ipv4 (-4) Resolve names to IPv4 addresses only --ipv6 (-6) Resolve names to IPv6 addresses only --domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!) --keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode --force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS --no-lock (-n) Don't use lockfile (potentially dangerous!) --lock-suffix example.com Suffix lockfile name with a string (useful for with -d) --ocsp Sets option in CSR indicating OCSP stapling to be mandatory --privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation) --config (-f) path/to/config Use specified config file --hook (-k) path/to/hook.sh Use specified script for hooks --out (-o) certs/directory Output certificates into the specified directory --challenge (-t) http-01|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 Ahm not so much. Dehydrated gives you lots of options and flexibility out of the box. Current features: Signing of a list of domains Signing of a CSR Renewal if a certificate is about to expire or SAN (subdomains) changed Certificate revocation The trade off is it will take a longer time to understand how it works with your application. So how do we proceed from here. Route53-SSL In order to easily integrate your application with Route53 DNS Challenge*. I built a small library that helps you seamlessly integrate with your application _route53-ssl - Generate FREE! SSL certificate for AWS Route 53 use with Let's Encrypt Acme protocol_github.com kenichi-shibata/route53-ssl How to use it? # Accept Dehydrated terms git clone https://github.com/kenichi-shibata/route53-ssl # Add your IAM AccessKey and Secret Key on the .aws directory where you cloned the route53-ssl ./dehydrated --register --accept-terms ./start.sh #answer the questions# the certificate will be on the certs/{domain} directory That’s it. Now you have certificate on /certs directory. Just the little matter of using it. Usage Apache SSLEngine On SSLCertificateFile $cloned_dir/ssl-autobot/certs/sample.example.com/fullchain.pem SSLCertificateKeyFile $cloned_dir/ssl-autobot/certs/sample.example.com/privkey.pem Nginx server { listen 443 ssl; ssl_certificate $cloned_dir/ssl-autobot/certs/sample.example.com/fullchain.pem; ssl_certificate_key $cloned_dir/ssl-autobot/certs/sample.example.com/privkey.pem; ...} Now reload your nginx/apache then you are good to go. To check Hit F12 then go to security > overview > view-certificate If you see Issued by: then you are golden Let’ Encrypt Authority XX Let me know if you have questions below thanks!
