My posts are usually notes and reference materials for myself, which I publish here with the hope that others might find them useful.
Like everyone else, I use Let's Encrypt certbot to obtain TLS certs for my domains.
This post is about using
certbot, but I also use AWS Route 53 to host my domains, which is nice for automating certificate renewal with the
certbot-dns-route53 plugin. So this post is also about using the AWS CLI, to enable use of that plugin. Other plugins are available.
Running the Stable/LTS distributions of Debian/Ubuntu is the only sane approach for a production server. However, the version of
certbot in Debian 10 (Buster) is stuck at
0.31, while the latest version (as of 11/2020) is
aws-cli is stuck at
1.16 while the latest version is
Docker containers to the rescue!
Instructions for installing Docker on Debian.
AWS documentation on using the official AWS CLI Docker image.
Certbot instructions "Running with Docker"
These instructions assume running as root.
0: Make sure Docker is working by following the official instructions (linked above) to add the official
apt repository, install the Docker software, and run
1: Configure AWS credentials using the AWS CLI Docker image:
docker run --rm -it -v "/root/.aws:/root/.aws" amazon/aws-cli configure
2: Verify AWS credentials are working and have nominal access to Route 53:
docker run --rm -it -v "/root/.aws:/root/.aws" amazon/aws-cli route53 list-hosted-zones
3: Request a Let's Encrypt wildcard certificate using
certbot/dns-route53 Docker image, forwarding AWS credentials:
docker run -it --rm --name certbot -v "/usr/bin:/usr/bin" -v "/root/.aws:/root/.aws" -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/dns-route53 certonly --dns-route53 --domain "example.com" --domain "*.example.com"
4: Create systemd timer to automate certificate renewal, then
start the timer.
(For the docker command, remove
--it for non-interactive execution by
systemd, and pass
/usr/bin to the container to allow execution of
[Unit] Description=Let's Encrypt certificate renewal [Service] Type=oneshot ExecStart=docker run --rm --name certbot -v "/usr/bin:/usr/bin" -v "/root/.aws:/root/.aws" -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/dns-route53 renew --dns-route53 --quiet --agree-tos --deploy-hook "systemctl reload nginx"
[Unit] Description=Monthly renewal of Let's Encrypt certificates [Timer] OnCalendar=monthly RandomizedDelaySec=12 hours Persistent=true [Install] WantedBy=timers.target
Top comments (0)