Skip to content
A set of tools to perform a Lets Encrypt DNS01 update on Route53
Ruby
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.mkd
lets_encrypt_route53.rb
letsencrypt.example.rake
ssl_checker.rb

README.mkd

Ruby LetsEncrypt Route53 Update tool

This is a tool I wrote for a personal project, but isn't really useful as a gem on its own. In fact, you probably shouldn't use this code verbatim, but feel free to fork/copy and make changes you need.

See letsencrypt.example.rake for an example of how this could be used. You could also wrap the same functionality in an ActiveJob and kick it off with cron or the clockwork gem.

ssl_checker.rb

Use this to determine if your certificate is nearing expiration. Example usage:

if SslChecker.new(host: "www.github.com").expires_in < 30.days
  update_certificate!
end

lets_encrypt_route53.rb

This provides several helper methods, each of which are lightly documented inline. There's also a main "meta-method", refresh_certificate!, which performs all the steps needed to update a certificate on S3.

Notes:

  • Looks for an existing encrypted key in the provided S3 bucket.
  • If none exists, will generate a new private key, encrypt it with an AWS Key Management Service (KMS) key, and upload it to S3. You're responsible for creating the KMS key yourself, and providing the kms_key_id value.
  • Defaults to using the Lets Encrypt sandbox. To switch it to production, set endpoint to LetsEncryptRoute53::PRODUCTION

Sample IAM Policy

Here's a policy I have verified works, but I'm sure it can be locked down further, if you desire. You'll need to substitute in your own ARN values.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1470452088000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1470452271000",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": [
                "arn:aws:kms:{region}:{acct}:key/{key-uuid}"
            ]
        },
        {
            "Sid": "Stmt1470452313000",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/{hosted-zone-id}"
            ]
        },
        {
            "Sid": "Stmt1470452313001",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::change/*"
            ]
        },
        {
            "Sid": "Stmt1470452548000",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteServerCertificate",
                "iam:ListServerCertificates",
                "iam:UploadServerCertificate"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1470452636000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:{region}:{acct}:loadbalancer/{lb-name}"
            ]
        }
    ]
}
You can’t perform that action at this time.