Differences

This shows you the differences between two versions of the page.

--- aws:lambda:letsencrypt_wildcard [2022/07/21 10:41] – created - external edit 127.0.0.1
+++ aws:lambda:letsencrypt_wildcard [2024/08/19 18:33] (current) – [Lambda Function Code] updating to use al2023 ami and correcting userdata variable formatting tingalls
@@ Line 116: / Line 116: @@
     client_ec2 = boto3.client('ec2', region_name=region)
     client_sns = boto3.client('sns', region_name=region)
-    amzn2_ami_parameter = '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
+    #amzn2_ami_parameter = '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
+    amzn2_ami_parameter = '/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64'
     current_ami = client_ssm.get_parameter(Name=amzn2_ami_parameter)['Parameter']['Value']
     #print(current_ami)
@@ Line 134: / Line 135: @@
     else:
         import_acm = 'No'
-    user_data = '''
+    user_data = '''#!/bin/bash
-    #!/bin/bash
+sudo yum -y install python3
-    sudo yum -y install python3
+sudo python3 -m ensurepip --upgrade
-    sudo python3 -m ensurepip --upgrade
+python3 -m pip install certbot-route53 certbot-dns-cloudflare --user
-    python3 -m pip install certbot-route53 certbot-dns-cloudflare --user
+#pip3 install certbot-route53 --user
-    #pip3 install certbot-route53 --user
+AWS_DEFAULT_REGION="{}"
-    AWS_DEFAULT_REGION="{}"
+DOMAINNAME="{}"
-    DOMAINNAME="{}"
+echo "$DOMAINNAME" > /root/certgen-$DOMAINNAME.log
-    echo "$DOMAINNAME" > /root/certgen-$DOMAINNAME.log
+CERTGENBUCKETNAME="{}"
-    CERTGENBUCKETNAME="{}"
+SNSTOPICARN="{}"
-    SNSTOPICARN="{}"
+IMPORT_ACM="{}"
-    IMPORT_ACM="{}"
+CERT_REGION="us-east-1"
-    CERT_REGION="us-east-1"
+echo "$CERTGENBUCKETNAME" >> /root/certgen-$DOMAINNAME.log
-    echo "$CERTGENBUCKETNAME" >> /root/certgen-$DOMAINNAME.log
+if [[ $DNS_SERVICE == "cloudflare" ]]; then
-    if [[ $DNS_SERVICE == "cloudflare" ]]; then
+    echo "dns service is cloudflare" >> /root/certgen-$DOMAINNAME.log
-        echo "dns service is cloudflare" >> /root/certgen-$DOMAINNAME.log
+    echo "dns_cloudflare_api_token = $(aws --region $CERT_REGION ssm get-parameter --name /certgen/$DOMAINNAME/cloudflare --with-decryption --query 'Parameter.Value' --output text)" > /root/cloudflare.ini
-        echo "dns_cloudflare_api_token = $(aws --region $CERT_REGION ssm get-parameter --name /certgen/$DOMAINNAME/cloudflare --with-decryption --query 'Parameter.Value' --output text)" > /root/cloudflare.ini
+    chmod 600 /root/cloudflare.ini
-        chmod 600 /root/cloudflare.ini
+    /root/.local/bin/certbot --config-dir /root/certbot/config --work-dir /root/certbot/work --logs-dir /root/certbot/logs certonly --dns-cloudflare --dns-cloudflare-credentials /root/cloudflare.ini --dns-cloudflare-propagation-seconds 30 -d *.$DOMAINNAME,$DOMAINNAME -n --email hostmaster@$DOMAINNAME --no-eff-email --agree-tos  >> /root/certgen-$DOMAINNAME.log
-        /root/.local/bin/certbot --config-dir /root/certbot/config --work-dir /root/certbot/work --logs-dir /root/certbot/logs certonly --dns-cloudflare --dns-cloudflare-credentials /root/cloudflare.ini --dns-cloudflare-propagation-seconds 30 -d *.$DOMAINNAME,$DOMAINNAME -n --email hostmaster@$DOMAINNAME --no-eff-email --agree-tos  >> /root/certgen-$DOMAINNAME.log
+fi
-    fi
+if [[ $DNS_SERVICE == "Route53" ]]; then
-    if [[ $DNS_SERVICE == "Route53" ]]; then
+    echo "dns service is Route53" >> /root/certgen-$DOMAINNAME.log
-        echo "dns service is Route53" >> /root/certgen-$DOMAINNAME.log
+    /root/.local/bin/certbot --config-dir /root/certbot/config --work-dir /root/certbot/work --logs-dir /root/certbot/logs certonly --dns-route53 --dns-route53-propagation-seconds 30 -d *.$DOMAINNAME,$DOMAINNAME -n --email hostmaster@$DOMAINNAME --no-eff-email --agree-tos  >> /root/certgen-$DOMAINNAME.log
-        /root/.local/bin/certbot --config-dir /root/certbot/config --work-dir /root/certbot/work --logs-dir /root/certbot/logs certonly --dns-route53 --dns-route53-propagation-seconds 30 -d *.$DOMAINNAME,$DOMAINNAME -n --email hostmaster@$DOMAINNAME --no-eff-email --agree-tos  >> /root/certgen-$DOMAINNAME.log
+fi
-    fi
+ls -l /root/certgen/config/live/$DOMAINNAME/ >> /root/certgen-$DOMAINNAME.log
-    ls -l /root/certgen/config/live/$DOMAINNAME/ >> /root/certgen-$DOMAINNAME.log
+P12PASSWORD="$(openssl rand -base64 32)"
-    P12PASSWORD="$(openssl rand -base64 32)"
+openssl pkcs12 -export -inkey /root/certgen/config/live/$DOMAINNAME/privkey.pem -in /root/certgen/config/live/$DOMAINNAME/fullchain.pem -out /root/certgen/$DOMAINNAME.p12 -password pass:"$P12PASSWORD"
-    openssl pkcs12 -export -inkey /root/certgen/config/live/$DOMAINNAME/privkey.pem -in /root/certgen/config/live/$DOMAINNAME/fullchain.pem -out /root/certgen/$DOMAINNAME.p12 -password pass:"$P12PASSWORD"
+## To encrypt and backup certbot configuration
-    ## To encrypt and backup certbot configuration
+# tar zcf - /root/certgen | openssl enc -e -aes256 -out /root/certgen.tar.gz -pass pass:"$P12PASSWORD"
-    # tar zcf - /root/certgen | openssl enc -e -aes256 -out /root/certgen.tar.gz -pass pass:"$P12PASSWORD"
+## To decrypt certbot configuration backup file
-    ## To decrypt certbot configuration backup file
+# openssl enc -d -aes256 -in /root/certgen.tar.gz -pass pass:"$P12PASSWORD" | tar zxv
-    # openssl enc -d -aes256 -in /root/certgen.tar.gz -pass pass:"$P12PASSWORD" | tar zxv
+aws --region $CERT_REGION ssm put-parameter --name /certgen/$DOMAINNAME/p12password --value "$P12PASSWORD" --type SecureString --overwrite  >> /root/certgen-$DOMAINNAME.log
-    aws --region $CERT_REGION ssm put-parameter --name /certgen/$DOMAINNAME/p12password --value "$P12PASSWORD" --type SecureString --overwrite  >> /root/certgen-$DOMAINNAME.log
+aws --region $CERT_REGION s3 cp /root/certgen/$DOMAINNAME.p12 s3://$CERTGENBUCKETNAME/$DOMAINNAME/$DOMAINNAME.p12 >> /root/certgen-$DOMAINNAME.log
-    aws --region $CERT_REGION s3 cp /root/certgen/$DOMAINNAME.p12 s3://$CERTGENBUCKETNAME/$DOMAINNAME/$DOMAINNAME.p12 >> /root/certgen-$DOMAINNAME.log
+## To backup encrypted certbot configuration file
-    ## To backup encrypted certbot configuration file
+# aws --region $CERT_REGION s3 cp /root/certgen.tar.gz s3://$CERTGENBUCKETNAME/$DOMAINNAME/certgen-$DOMAINNAME.tar.gz >> /root/certgen-$DOMAINNAME.log
-    # aws --region $CERT_REGION s3 cp /root/certgen.tar.gz s3://$CERTGENBUCKETNAME/$DOMAINNAME/certgen-$DOMAINNAME.tar.gz >> /root/certgen-$DOMAINNAME.log
+if [[ $IMPORT_ACM == "Yes" ]]; then
-    if [[ $IMPORT_ACM == "Yes" ]]; then
+    CERT_ARN=$(aws --region $CERT_REGION acm list-certificates --query 'CertificateSummaryList[?DomainName==`'*.$DOMAINNAME'`].CertificateArn' --output text)
-        CERT_ARN=$(aws --region $CERT_REGION acm list-certificates --query 'CertificateSummaryList[?DomainName==`'*.$DOMAINNAME'`].CertificateArn' --output text)
+    echo $CERT_ARN  >> /root/certgen-$DOMAINNAME.log
-        echo $CERT_ARN  >> /root/certgen-$DOMAINNAME.log
+    if [[ $CERT_ARN != "" ]]; then
-        if [[ $CERT_ARN != "" ]]; then
+        echo "Existing certificate for $DOMAINNAME was found with ARN $CERT_ARN. Updating." >> /root/certgen-$DOMAINNAME.log
-            echo "Existing certificate for $DOMAINNAME was found with ARN $CERT_ARN. Updating." >> /root/certgen-$DOMAINNAME.log
+        aws --region $CERT_REGION acm import-certificate \
-            aws --region $CERT_REGION acm import-certificate \
             --certificate file:///root/certgen/config/live/$DOMAINNAME/cert.pem \
             --private-key file:///root/certgen/config/live/$DOMAINNAME/privkey.pem \
             --certificate-chain file:///root/certgen/config/live/$DOMAINNAME/chain.pem \
             --certificate-arn $CERT_ARN >> /root/certgen-$DOMAINNAME.log
-        else
+    else
-            echo "Existing certificate for $DOMAINNAME was not found. Importing." >> /root/certgen-$DOMAINNAME.log
+        echo "Existing certificate for $DOMAINNAME was not found. Importing." >> /root/certgen-$DOMAINNAME.log
-            aws --region $CERT_REGION acm import-certificate \
+        aws --region $CERT_REGION acm import-certificate \
             --certificate file:///root/certgen/config/live/$DOMAINNAME/cert.pem \
             --private-key file:///root/certgen/config/live/$DOMAINNAME/privkey.pem \
             --certificate-chain file:///root/certgen/config/live/$DOMAINNAME/chain.pem >> /root/certgen-$DOMAINNAME.log
-        fi
     fi
-    aws --region $CERT_REGION s3 cp /root/certgen-$DOMAINNAME.log s3://$CERTGENBUCKETNAME/certgen-$DOMAINNAME.log
+fi
-    aws --region us-east-1 sns publish --topic-arn $SNSTOPICARN --subject "Status $DOMAINNAME" --message file:///root/certgen-$DOMAINNAME.log
+aws --region $CERT_REGION s3 cp /root/certgen-$DOMAINNAME.log s3://$CERTGENBUCKETNAME/certgen-$DOMAINNAME.log
-    sleep 60
+aws --region us-east-1 sns publish --topic-arn $SNSTOPICARN --subject "Status $DOMAINNAME" --message file:///root/certgen-$DOMAINNAME.log
-    sudo shutdown -h now
+sleep 60
+sudo shutdown -h now
     '''.format(region, domain_name, certgen_bucket, sns_topic_arn, import_acm)
     temp_instance_paramaters = {

Nerdy Drunk

User Tools

Site Tools

Differences

Page Tools