One day you are setting up a new website for your personal blog that you are doing as part of your ‘online profile’ or resume to get noticed by employees. You are broke and decided to try out AWS services for 1 year for free to set up your new blog. You created the website templates, setup the NGINX/Apache Webserver, Database, used the Route 53 as your DNS, and any linux as your OS and all the other necessary dependency for your blog to run. Route53 DNS has a $9 TLD domain for .uk
See full list of prices on Route53 Domain registration below:
You were running the $9 usd .uk domain
Then after a month of handing out your resume and applying on job boards, you got a response. The response reads ‘I love your blog but just a suggestion why not use https to show off your skills after all its 2017 and everyone needs to have security online also I’m getting this screen whenever I try to visit your site’
Ahm Ok. You thought to yourself ‘basically I need to add a security right?’ Piece of cake!
You try to dig around the internet to see which sites can give you free SSL certificate since you are broke and cannot afford your next lunch if you do decide to buy SSL certification.
What to do? let’s use let’s-encrypt protocol.
Let's Encrypt - Free SSL/TLS Certificates_Let's Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security…_letsencrypt.org
Since we are using route 53. We can use DNS Challenge to verify that we own the domain. We can use certbot
Certbot_Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates._certbot.eff.org
Drilling through the docs however you were unable to see a trivial way to do the DNS Challenge using AWS Route53.
Uhm some help?
Dehydrated wraps the complexity of ACME Protocol and implements a command line bash script that you can utilize in order to make your SSL/TLS certificate retrieval from Let’s Encrypt easier.
lukas2511/dehydrated_dehydrated - letsencrypt/acme client implemented as a shell-script - just add water_github.com
Simple enough right?
Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...Default command: helpCommands: --register Register account key --cron (-c) Sign/renew non-existant/changed/expiring certificates. --signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage) --revoke (-r) path/to/cert.pem Revoke specified certificate --cleanup (-gc) Move unused certificate files to archive directory --help (-h) Show help text --env (-e) Output configuration variables for use in other scriptsParameters: --accept-terms Accept CAs terms of service --full-chain (-fc) Print full chain when using --signcsr --ipv4 (-4) Resolve names to IPv4 addresses only --ipv6 (-6) Resolve names to IPv6 addresses only --domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!) --keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode --force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS --no-lock (-n) Don't use lockfile (potentially dangerous!) --lock-suffix example.com Suffix lockfile name with a string (useful for with -d) --ocsp Sets option in CSR indicating OCSP stapling to be mandatory --privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation) --config (-f) path/to/config Use specified config file --hook (-k) path/to/hook.sh Use specified script for hooks --out (-o) certs/directory Output certificates into the specified directory --challenge (-t) http-01|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
Ahm not so much. Dehydrated gives you lots of options and flexibility out of the box.
Current features:
The trade off is it will take a longer time to understand how it works with your application. So how do we proceed from here.
In order to easily integrate your application with Route53 DNS Challenge*. I built a small library that helps you seamlessly integrate with your application
kenichi-shibata/route53-ssl_route53-ssl - Generate FREE! SSL certificate for AWS Route 53 use with Let's Encrypt Acme protocol_github.com
How to use it?
# Accept Dehydrated terms
git clone https://github.com/kenichi-shibata/route53-ssl
# Add your IAM AccessKey and Secret Key on the .aws directory where you cloned the route53-ssl
./dehydrated --register --accept-terms
./start.sh #answer the questions# the certificate will be on the certs/{domain} directory
That’s it. Now you have certificate on /certs directory. Just the little matter of using it.
SSLEngine On SSLCertificateFile $cloned_dir/ssl-autobot/certs/sample.example.com/fullchain.pem SSLCertificateKeyFile $cloned_dir/ssl-autobot/certs/sample.example.com/privkey.pem
server { listen 443 ssl; ssl_certificate $cloned_dir/ssl-autobot/certs/sample.example.com/fullchain.pem; ssl_certificate_key $cloned_dir/ssl-autobot/certs/sample.example.com/privkey.pem; ...}
Now reload your nginx/apache then you are good to go.
To check
Hit F12 then go to security > overview > view-certificate
If you see Issued by: Let’ Encrypt Authority XX then you are golden
Let me know if you have questions below thanks!