-
Install lego, a letsencrypt client
-
AWS Console: Create IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<INSERT_YOUR_HOSTED_ZONE_ID_HERE>"
]
}
]
}- AWS Console: Create user and attach the created policy to user
- Server: Create following systemd service (
letsencrypt_cert_update.service)
[Unit]
Description=let's encrypt ssl cert update
OnFailure=status-email-ssalonen-iki@%n.service
[Service]
Environment="AWS_REGION=eu-west-1"
Environment="AWS_ACCESS_KEY_ID=MY_ACCESS_KEY"
Environment="AWS_SECRET_ACCESS_KEY=MY_SECRET"
# If you add domains, remember to re-create the cert with "run" command (instead of renew)
ExecStart=/usr/bin/lego --accept-tos --pem --path /etc/letsencrypt/lego --email="my@email.om" --domains="bar.domain1.com" --domains "foo.domain1.com" --domains "foo2.domain1.com" --dns="route53" renew --days 30
- To renew certificates automatically, create timer (
letsencrypt_cert_update.timer) for the above service,
[Unit]
Description=letsencrypt_cert_update refresh timer
[Timer]
OnCalendar=0/3:00:00
Persistent=true
[Install]
WantedBy=timers.target
and enable and start it:
systemctl enable letsencrypt_cert_update.timer
systemctl start letsencrypt_cert_update.timer- Renew works only after
runcommand has been executed at least once:
/usr/bin/lego --accept-tos --pem --path /etc/letsencrypt/lego --email="my@email.om" --domains="bar.domain1.com" --domains "foo.domain1.com" --domains "foo2.domain1.com" --dns="route53" runRemember to call run when adding new --domains to the renew command.
Note that lego creates Multi-Domain (SAN) certificates when multiple --domains are passed