Skip to content

Instantly share code, notes, and snippets.

@bvanderlugt
Created August 15, 2017 19:32
Show Gist options
  • Save bvanderlugt/ee20325711bc472b1ca906fed3f0607c to your computer and use it in GitHub Desktop.
Save bvanderlugt/ee20325711bc472b1ca906fed3f0607c to your computer and use it in GitHub Desktop.
Set up letsencrypt certs manually on aws

Manually set up letsencrypt certs on AWS

Create an AWS ec2 instance. Create a route53 record. Create and elb.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Run cli tool (not debug flag as Amazon AMI was in development at time of writing.

./letsencrypt-auto certonly --manual --debug

Enter the domain names you want certs for seperated by comma or space.

Choose to have your IP publically logged.

Now you are given a challenge to complete. Completing the challenge proves to letsencrypt that you have control of the server. The way I completed this was to install node and http-server.

curl --silent --location https://rpm.nodesource.com/setup_7.x | sudo bash -
yum -y install nodejs

Install http-server.

npm install http-server -g

Now create dir location letsencrypt specified.

mkdir -p .well-known/acme-challenge/[SOME-NAME]/

Create a file and serve it on port 80

ehco '[SOME-DATA]' > .well-known/acme-challenge/[SOME-NAME]/index.html
cd .well-known/acme-challenge/[SOME-NAME]
http-server -p 80

Make sure to open port 80 on you instance via security groups.

If you gave your ec2 instance permissions to upload iam creds.

You can do this directly, otherwise copy the creds to local and upload them to EC2.

sudo cp -L -r /etc/letsencrypt/live/test.blairvanderlugt.com/ ~
scp -i ~/Downloads/letsencrypt-test.pem -r ec2-user@34.213.69.216:test.blairvanderlugt.com/ .

Note The AWS IAM cert manager console does not have this functionality so got to use cli.

aws iam upload-server-certificate --server-certificate-name NAME-OF-CERT \
                                    --certificate-body file://cert.pem \
                                    --certificate-chain file://chain.pem \
                                    --private-key file://privkey.pem \

Now you got your certs in AWS and can assign them to ELB and other AWS services.

Go to your ELB -> edit listener -> select https (443) -> Under SSL Certificate select "change" -> Choose an existing certificate from AWS Identity and Access Management (IAM)) -> select the cert name from previous step.

Don't forget to open security ports on the load balancer to accept ingress on 443

Done!

Done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment