Skip to content

Instantly share code, notes, and snippets.

@willpower232

willpower232/gogocertbot.sh

Created January 22, 2018 10:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save willpower232/e91e88e7d55bee364846f2d14eacc3df to your computer and use it in GitHub Desktop.
Save willpower232/e91e88e7d55bee364846f2d14eacc3df to your computer and use it in GitHub Desktop.
Download ZIP
Certbot with DNS verification and AWS route53 plugin
Raw
gogocertbot.sh
#!/bin/bash
# run these first to install certbot globally with the route53 plugin
# $ sudo apt install python-setuptools
# $ sudo easy_install pip
# $ sudo -H pip install certbot-dns-route53
# verify the route53 plugin is present
# $ certbot plugins
# now create some credentials from AWS and copy here
# - https://github.com/certbot/certbot/tree/master/certbot-dns-route53
# - https://github.com/certbot/certbot/blob/master/certbot-dns-route53/examples/sample-aws-policy.json
export AWS_ACCESS_KEY_ID="accesskeyhere"
export AWS_SECRET_ACCESS_KEY="secretkeyhere"
certbot certonly -n --agree-tos --email you@example.com --dns-route53 -d whatever.example.com -d whatever2.example.co.uk
# if you have used root keys, delete script from server and keys from AWS now
@willpower232
Copy link
Author

If you are using this to create a wildcard certificate then you will need to append the following to the certbot command --server https://acme-v02.api.letsencrypt.org/directory

https://community.letsencrypt.org/t/certbot-the-currently-selected-acme-ca-endpoint-does-not-support-issuing-wildcard-certificates/55667

@willpower232
Copy link
Author

Please note that the renew will expect the AWS credentials to be available so it would be best to create a ~/.aws/credentials file with the permissions as follows

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZones"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/HOSTEDZONEID"
            ]
        }
    ]
}

@willpower232
Copy link
Author

its been a while so after installing, you can go for certbot certonly --dns-route53 -d *.example.com and follow the prompts if there are any, don't need the mumbo jumbo to get the wildcard

@willpower232
Copy link
Author

Don't forget that webroot is still a valid way of doing things

certbot certonly --webroot --webroot-path /org/websites/user/example.com/www/public_html/ -d example.com -d www.example.com

and that the order of the certificates will be used for the directory so leave www. to the end 😉

@willpower232
Copy link
Author

Some commands for upgrades

sudo pip install --upgrade pip

pip list

sudo -H pip install certbot certbot-dns-route53 --upgrade

@willpower232
Copy link
Author

don't forget to use pip3 and if you're updating, you should also pip3 install requests --upgrade apparently

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment