#Using LetsEncrypt SSL certificates on AWS
This is a document for managing the LetsEncrypt certificates on AWS for Cloudfront and Opsworks.
The following are instructions for using LetsEncrypt under Mac OS. It is for a single token for a single server.
It is an active project, so make sure you do a pull every so often.
mkdir -p ~/GitHub/Opensource2/ cd ~/GitHub/Opensource2/ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --help
LetsEncrypt is currently built to be installed on a web-server and periodically, which is every 90 days, request certs. Since I am installing on AWS, my workaround is to install locally and then upload to AWS.
Basically what the LetsEncrypt script does is create a token in your local app's directory structure, then notifies the LetsEncrypt service, which then queries you server for the token. If successful, it generates your certificate in the
First, Configure your firewall to pass port 80 to your development machine. For instance, I am listening to port 80 and pushing via NAT to port 5556 of my rails app.
Second, ensure that you have any type of web-server running on the local machine and accessible via the above. I used the production rails app, but I was running it on my development machine.
###Obtaining the Certificate via LetsEncrypt
Creating certificates where
<fqdn> is the full domain name of the server, for which you want the cert.
./letsencrypt-auto certonly --webroot -w ~/<your app>/public/ -d <fqdn>
If all goes well, your certificate will be in
##Amazon Web Services
Uploading the certificate to AWS
The value for
--server-certificate-name <cert name> is just an arbitrary label you provide. It does not have to be the name of the server.
The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces. (http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html)
also, note the special CloudFront consideration
If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the
--pathoption. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/). (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs_manage.html#UploadSignedCert)
aws iam upload-server-certificate --server-certificate-name <cert name> --certificate-body file://cert1.pem --private-key file://privkey1.pem --certificate-chain file://lets-encrypt-x1-cross-signed.pem
updating the cert on AWS.
aws iam upload-server-certificate --server-certificate-name <cert name> --certificate-body file://cert1.pem --private-key file://privkey1.pem --certificate-chain file://lets-encrypt-x1-cross-signed.pem --path <cloudfront path name>
To use the certificates in your Rails app, configure the SSL Settings section.
##Useful Commands for managing certificates To see the list of certs that with expiration dates.
aws iam list-server-certificates --output text --query 'ServerCertificateMetadataList[*].[Expiration,ServerCertificateName]' | sort
To see the full detail of the cert.
aws iam get-server-certificate --server-certificate-name <cert name> --output text --query 'ServerCertificate.CertificateBody' | openssl x509 -text | less