Free SSL Certificate using ACME Protocol Let’s Encrypt on AWS Free Tier.

One day you are setting up a new website for your personal blog that you are doing as part of your ‘online profile’ or resume to get noticed by employees. You are broke and decided to try out AWS services for 1 year for free to set up your new blog. You created the website templates, setup the NGINX/Apache Webserver, Database, used the Route 53 as your DNS, and any linux as your OS and all the other necessary dependency for your blog to run. Route53 DNS has a $9 TLD domain for .uk

See full list of prices on Route53 Domain registration below:

You were running the $9 usd .uk domain

Then after a month of handing out your resume and applying on job boards, you got a response. The response reads ‘I love your blog but just a suggestion why not use https to show off your skills after all its 2017 and everyone needs to have security online also I’m getting this screen whenever I try to visit your site’

Ahm Ok. You thought to yourself ‘basically I need to add a security right?’ Piece of cake!

You try to dig around the internet to see which sites can give you free SSL certificate since you are broke and cannot afford your next lunch if you do decide to buy SSL certification.

What to do? let’s use let’s-encrypt protocol.

Let's Encrypt - Free SSL/TLS Certificates_Let's Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security…_letsencrypt.org

Since we are using route 53. We can use DNS Challenge to verify that we own the domain. We can use certbot

Certbot_Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates._certbot.eff.org

Drilling through the docs however you were unable to see a trivial way to do the DNS Challenge using AWS Route53.

Uhm some help?

Dehydrated to the rescue

Dehydrated wraps the complexity of ACME Protocol and implements a command line bash script that you can utilize in order to make your SSL/TLS certificate retrieval from Let’s Encrypt easier.

lukas2511/dehydrated_dehydrated - letsencrypt/acme client implemented as a shell-script - just add water_github.com

Simple enough right?

Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...Default command: helpCommands: --register                       Register account key --cron (-c)                      Sign/renew non-existant/changed/expiring certificates. --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage) --revoke (-r) path/to/cert.pem   Revoke specified certificate --cleanup (-gc)                  Move unused certificate files to archive directory --help (-h)                      Show help text --env (-e)                       Output configuration variables for use in other scriptsParameters: --accept-terms                   Accept CAs terms of service --full-chain (-fc)               Print full chain when using --signcsr --ipv4 (-4)                      Resolve names to IPv4 addresses only --ipv6 (-6)                      Resolve names to IPv6 addresses only --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!) --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS --no-lock (-n)                   Don't use lockfile (potentially dangerous!) --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d) --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation) --config (-f) path/to/config     Use specified config file --hook (-k) path/to/hook.sh      Use specified script for hooks --out (-o) certs/directory       Output certificates into the specified directory --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

Ahm not so much. Dehydrated gives you lots of options and flexibility out of the box.

Current features:

• Signing of a list of domains
• Signing of a CSR
• Renewal if a certificate is about to expire or SAN (subdomains) changed
• Certificate revocation

The trade off is it will take a longer time to understand how it works with your application. So how do we proceed from here.

Route53-SSL

In order to easily integrate your application with Route53 DNS Challenge*. I built a small library that helps you seamlessly integrate with your application

kenichi-shibata/route53-ssl_route53-ssl - Generate FREE! SSL certificate for AWS Route 53 use with Let's Encrypt Acme protocol_github.com

How to use it?

# Accept Dehydrated terms 

git clone https://github.com/kenichi-shibata/route53-ssl

# Add your IAM AccessKey and Secret Key on the .aws directory where you cloned the route53-ssl

./dehydrated --register --accept-terms

./start.sh #answer the questions# the certificate will be on the certs/{domain} directory

That’s it. Now you have certificate on /certs directory. Just the little matter of using it.

Usage

Apache

SSLEngine On     SSLCertificateFile $cloned_dir/ssl-autobot/certs/sample.example.com/fullchain.pem     SSLCertificateKeyFile  $cloned_dir/ssl-autobot/certs/sample.example.com/privkey.pem

Nginx

server {    listen 443 ssl;    ssl_certificate      $cloned_dir/ssl-autobot/certs/sample.example.com/fullchain.pem;    ssl_certificate_key  $cloned_dir/ssl-autobot/certs/sample.example.com/privkey.pem;	...}

Now reload your nginx/apache then you are good to go.

To check

Hit F12 then go to security > overview > view-certificate

If you see Issued by: Let’ Encrypt Authority XX then you are golden

Let me know if you have questions below thanks!