Nerdy Drunk

Drunk on technology

User Tools

Site Tools

You are here: start » general » letsencrypt

Sidebar

Topics

Topic Search


Home Lab
About Me


Twitter @taingalls


Subject Matter Expert Specialty Advanced Networking Specialty Security Specialty Data Analytics Specialty Machine Learning Specialty Database Specialty SAP on AWS Specialty Solutions Architect Professional DevOps Engineer Professional SysOps Administrator Associate Solutions Architect Associate Developer Associate Cloud Practitioner

Mastodon twit.social/@taingalls
general:letsencrypt

Table of Contents

Let's Encrypt Certbot

,

AWS CloudFront S3 Bucket

Make sure you that you have python 2.7 and pip installed. You will need to make sure that you have a user or EC2 instance IAM role with sufficient policy permissions. https://github.com/dlapiduz/certbot-s3front/blob/master/sample-aws-policy.json

Install certbot with s3front plugin and the awscli; 

$ pip install --user certbot certbot-s3front awsli

Make sure that botocore is upgraded; 

$ pip install --upgrade botocore --user

When I first ran certbot I received an error; 

KeyError: 'IAMCertificateId'

Before certbot successfully ran I had to replace a line in installer.py.
File and location: 

/home/ec2-user/.local/lib/python2.7/site-packages/certbot_s3front/installer.py

Incorrect line that needs to be replaced: 

if cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:

Correct line: 

if 'IAMCertificateId' in cf_cfg['DistributionConfig']['ViewerCertificate'] and cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:

Based on comments of the reported issue on github it sounds like this error will be resolved in a future version of the certbot plugin. https://github.com/dlapiduz/certbot-s3front/issues/76#issuecomment-416308584

Run certbot to obtain SSL certificate and install it on your CloudFront distribution; 

certbot --agree-tos -a certbot-s3front:auth --certbot-s3front:auth-s3-bucket SITE.DOMAIN.TLD --certbot-s3front:auth-s3-region us-east-2 -i certbot-s3front:installer --certbot-s3front:installer-cf-distribution-id CFDISTRIBUTIONID -d SITE.DOMAIN.TLD --config-dir ~/.lecbs3 --work-dir ~/.lecbs3 --logs-dir ~/.lecbs3 --email [email protected] --no-eff-email

To automate renewal add the following; 

--renew-by-default --text

If you want the original install instructions you can find them on the github site for the plugin. https://github.com/dlapiduz/certbot-s3front

Wildcard with Route53

Make sure you have sufficient permissions to Route53. https://certbot-dns-route53.readthedocs.io/en/stable/#sample-aws-policy-json

Install certbot with s3front plugin and the awscli; 

$ pip install --user certbot certbot-route53 awscli

Run certbot to obtain the wildcard cert and allow it to create and remove the needed Route53 records. 

certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d *.DOMAIN.TLD,DOMAIN.TLD --config-dir ~/.lecbs3 --work-dir ~/.lecbs3 --logs-dir ~/.lecbs3 -n --email [email protected] --no-eff-email --agree-tos
general/letsencrypt.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki