My posts are usually notes and reference materials for myself, which I publish here with the hope that others might find them useful.
Like everyone else, I use Let's Encrypt certbot to obtain TLS certs for my domains.
This post is about using
certbot, but I also use AWS Route 53 to host my domains, which is nice for automating certificate renewal with the
certbot-dns-route53 plugin. So this post is also about using the AWS CLI, to enable use of that plugin. Other plugins are available.
Running the Stable/LTS distributions of Debian/Ubuntu is the only sane approach for a production server. However, the version of
certbot in Debian 10 (Buster) is stuck at
0.31, while the latest version (as of 11/2020) is
aws-cli is stuck at
1.16 while the latest version is
Docker containers to the rescue!
These instructions assume running as root.
0: Make sure Docker is working by following the official instructions (linked above) to add the official
apt repository, install the Docker software, and run
1: Configure AWS credentials using the AWS CLI Docker image:
docker run --rm -it -v "/root/.aws:/root/.aws" amazon/aws-cli configure
2: Verify AWS credentials are working and have nominal access to Route 53:
docker run --rm -it -v "/root/.aws:/root/.aws" amazon/aws-cli route53 list-hosted-zones
3: Request a Let's Encrypt wildcard certificate using
certbot/dns-route53 Docker image, forwarding AWS credentials:
docker run -it --rm --name certbot -v "/usr/bin:/usr/bin" -v "/root/.aws:/root/.aws" -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/dns-route53 certonly --dns-route53 --domain "example.com" --domain "*.example.com"
4: Create systemd timer to automate certificate renewal, then
start the timer.
(For the docker command, remove
--it for non-interactive execution by
systemd, and pass
/usr/bin to the container to allow execution of
[Unit] Description=Let's Encrypt certificate renewal [Service] Type=oneshot ExecStart=docker run --rm --name certbot -v "/usr/bin:/usr/bin" -v "/root/.aws:/root/.aws" -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/dns-route53 renew --dns-route53 --quiet --agree-tos --deploy-hook "systemctl reload nginx"
[Unit] Description=Monthly renewal of Let's Encrypt certificates [Timer] OnCalendar=monthly RandomizedDelaySec=12 hours Persistent=true [Install] WantedBy=timers.target