This shell script helps create Let's Encrypt certificates for AWS Route53. It uses Certbot to automate certificate requests, and the AWS CLI to automate DNS challenge record creation.
-
Install Certbot and the AWS CLI. You can use Homebrew (
brew install awscli certbot
) or pip (pip install boto3 certbot
). -
Configure the AWS CLI. Your account must have permission to list and update Route53 records.
-
Download the certbot-route53.sh script.
mkdir my-certificates
cd my-certificates
curl -sL https://git.io/vylLx -o certbot-route53.sh
chmod a+x certbot-route53.sh
- Run the script with your (comma-separated) domain(s) and email address:
sh certbot-route53.sh \
--agree-tos \
--manual-public-ip-logging-ok \
--domains jed.is,www.jed.is \
--email $(git config user.email)
- Wait patiently (usually about two minutes) while, for each domain requested:
- Certbot asks Let's Encrypt for a DNS validation challenge string,
- AWS CLI asks Route53 to create a domain TXT record with the challenge value,
- Let's Encrypt validates the TXT record and returns a certificate, and finally
- AWS CLI asks Route53 to delete the TXT record.
- Find your new certificate(s) in the
letsencrypt/live
directory.
You can optionally use Docker to avoid installing all the necessary build tools & jump
straight into authenticating certificates. This assumes that (a) you have installed Docker, (b) you have done step 2
above (either by installing the AWS-CLI manually or using an AWS-CLI Docker container to configure your machine) and (c)
have your AWS configuration files at ~/.aws
as standard.
$ git clone https://github.com/car-throttle/certbot-route53
$ cd certbot-route53 && docker build -t certbot-route53:latest .
$ mkdir -p $PWD/letsencrypt
$ docker run -it --rm -v $HOME/.aws:/root/.aws:ro -v $PWD/letsencrypt:/root/letsencrypt \
certbot-route53:latest certbot-route53.sh \
--agree-tos \
--manual-public-ip-logging-ok \
--domains jed.is,www.jed.is \
--email $(git config user.email)
You'll find your certificate(s) in letsencrypt/live
directory too 😉
And to renew:
$ docker run -it --rm -v $HOME/.aws:/root/.aws:ro -v $PWD/letsencrypt:/root/letsencrypt \
certbot-route53:latest certbot-route53.sh renew