Skip to content

Ercan Ermis

notes for everyone

Menu
  • AWS
  • Kubernetes
  • Linux
  • DevOps
  • Docker
  • GCP
  • Uncategorized
  • Contact Me
Menu

Issue a Let’s Encrypt SSL with the AWS Route53

Posted on July 16, 2022July 16, 2022 by Ercan
Share this...
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Reddit
Reddit
Email this to someone
email
Share on StumbleUpon
StumbleUpon
Share on Facebook
Facebook

Hello,

In this article, I want to tell you how you can issue a Let’s Encrypt SSL with the AWS Route53 service. Let’s start to learn.

What is Let’s Encrypt?

Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security encryption at no charge. It means, you can get a FREE SSL certificate for your project/app and it the SSL certificate will be valid for 90 days. You need to make some automation to renew automatically.

What is AWS Route53?

Amazon Route 53 is a scalable and highly available Domain Name System service. Released on December 5, 2010, it is part of Amazon.com’s cloud computing platform, Amazon Web Services. You can register a new domain or transfer your existing domain or just use the DNS management system for your domain.

For this article, I’ll use one of my domain which is registered on Google Domains and I decided to just use the DNS management system. Just in case, the domain type should be a public hosted zone on Route53. My domain is “ermis.email” You can feel free to check NS records for my domain : )

Why I’m using Route 53 to issue a Let’s Encrypt SSL?

When you request a new SSL certificate from Let’s Encrypt, the certbot sends a request to the Let’s Encrypt servers and I don’t want to send and receive an HTTP (insecure) request out of AWS to get an encryption certificate : ) I’m thinking, it’s a little bit weird and may be made some security problems.

Otherwise, maybe you just need an SSL certificate and you don’t want to bind your SSL certificate directly to an nginx or apache or any kind of web server service. And also, it’s more convenient and fast and able to make some automation this way…

IAM Policy

I decided to use an AWS EC2 to issue an SSL directly in AWS and first of all, we need to create an IAM Policy for this operation to access Route53. My EC2 has an Elastic IP to make more secure the IAM Policy and restrict access to Route53 resources. You can’t use this policy as an IAM Role and I configure it for aws-cli operations with a specific profile name “certbot-route53“. Here is an example IAM Policy below;

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CertbotRoute53",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZones"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "3.92.136.59/32"
                }
            }
        },
        {
            "Sid": "CertbotRoute531",
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/Z01859902ZBFBUXJ0AV3J",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "3.92.136.59/32"
                }
            }
        }
    ]
}

My mail server’s DNS name is “hermes.ermis.email” and A record is pointing to 3.65.142.23 with Simple Routing. I’ll request a Let’s Encrypt SSL for “hermes.ermis.email” My domain TLD is not com/net/org maybe looks different but it’s not a problem. It’s just domain and DNS : )

Requirements for EC2

If you are running on freshly launched with an official Amazon Linux 2 AMI you should install some prerequisites. First of all, we need to install an epel repository to install certbot and certbot-dns-route53 plugin. Let’s do it with a single line command!

[[email protected] ~]# amazon-linux-extras install -y epel && yum install -y certbot python2-certbot-dns-route53

Let’s Issue!

You can check my issuing command below.

[[email protected] ~]# export AWS_PROFILE=certbot-route53; \
> certbot certonly --dns-route53 \
> --agree-tos \
> -m [email protected] \
> --non-interactive \
> -d hermes.ermis.email

One Last Thing

Don’t forget to set a cron to check SSL need a renewal. You can also use the command into your cron.

00 00 * * * export AWS_PROFILE=certbot-route53; certbot renew -q

Thank you for reading my article, I hope you enjoyed with it!

Share on Social Media
twitter facebook linkedin reddit
Share this...
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Reddit
Reddit
Email this to someone
email
Share on StumbleUpon
StumbleUpon
Share on Facebook
Facebook

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Scaling PHP Applications on AWS
  • Create an S3 Bucket and Set a Policy via CLI
  • Issue a Let’s Encrypt SSL with the AWS Route53
  • Automate Let’s Encrypt SSL on AWS Application Load Balancer
  • Let’s Learn Kubernetes – Part 3
  • Deploy a website to S3 and CloudFront with Bitbucket Pipelines
  • Let’s Learn Kubernetes – Part 2
  • Protect your AWS Account with specified IPs
  • Let’s Learn Kubernetes – Part 1
  • Differences between AWS CLI v1 and v2
  • SSL CA Problem on CentOS7 Docker and Solution
  • What do I have?
  • Deploy HA nginx to AWS ECS with Geolocation Routing via Terraform
  • Deploy nginx docker to AWS ECS with Terraform Automation
  • How to Install Node Exporter on Linux Server
  • FortiClient Problem on M1 MacBookPro Problem Solution
  • Connect your AWS to GCP with Terraform via IPSec Site-to-Site VPN
  • Google Cloud Platform Automation with Terraform Easily
  • How to secure your Amazon Web Services account
  • Install UGREEN USB Ethernet Adapter on macOS
  • Redirect 301 HTTPS on App Engine with nginx on Google Cloud Platform
  • Set two different Target Groups on AWS Load Balancer with Terraform
  • Extend your ec2 Linux disk without reboot on Amazon Web Services
  • Create a New Grant User on AWS RDS (MariaDB)
  • Amazon S3 CORS Settings with CloudFront on Amazon Web Services
  • Take your GitLab backup everyday if it works in Docker
  • Find large files in CentOS, ubuntu and MacOS easily
  • Fix “Error: rpmdb open failed” on CentOS or Amazon Linux 2
  • Error: No space left on the device when starting/stopping services only
  • Juniper SRX110H-VA VDSL2 Configuration Step by Step
  • Enable Logrotation for Docker Containers
  • Download specific file extension via wget easily on terminal
  • Find the exact size of certain files in Linux via terminal
  • Disable SELinux on CentOS 7 or CentOS 8
  • Hello Blog!

Tag Cloud

active-active amazon linux 2 amazon web services automation aws basics bucket policy bug centos centos7 cloud cloudfront container container management curl deployment devops docker ec2 ecs fargate file size gcp gitlab google cloud platform internet k8s kubernetes kubernetes architecture kubernetes basics linux macos monitoring node exporter pipeline prometheus reliability router s3 security terraform ubuntu verification method wget yum

Archive

  • August 2022 (1)
  • July 2022 (3)
  • June 2022 (6)
  • March 2022 (1)
  • July 2021 (1)
  • May 2021 (5)
  • April 2021 (5)
  • February 2021 (1)
  • January 2021 (1)
  • September 2020 (2)
  • July 2020 (1)
  • April 2020 (1)
  • March 2020 (1)
  • February 2020 (1)
  • November 2019 (5)
©2022 Ercan Ermis | Built using WordPress and Responsive Blogily theme by Superb