A set of tools to perform a Lets Encrypt DNS01 update on Route53
Ruby
Switch branches/tags
Nothing to show
Clone or download
Latest commit 2372125 Aug 5, 2016

README.mkd

Ruby LetsEncrypt Route53 Update tool

This is a tool I wrote for a personal project, but isn't really useful as a gem on its own. In fact, you probably shouldn't use this code verbatim, but feel free to fork/copy and make changes you need.

See letsencrypt.example.rake for an example of how this could be used. You could also wrap the same functionality in an ActiveJob and kick it off with cron or the clockwork gem.

ssl_checker.rb

Use this to determine if your certificate is nearing expiration. Example usage:

if SslChecker.new(host: "www.github.com").expires_in < 30.days
  update_certificate!
end

lets_encrypt_route53.rb

This provides several helper methods, each of which are lightly documented inline. There's also a main "meta-method", refresh_certificate!, which performs all the steps needed to update a certificate on S3.

Notes:

  • Looks for an existing encrypted key in the provided S3 bucket.
  • If none exists, will generate a new private key, encrypt it with an AWS Key Management Service (KMS) key, and upload it to S3. You're responsible for creating the KMS key yourself, and providing the kms_key_id value.
  • Defaults to using the Lets Encrypt sandbox. To switch it to production, set endpoint to LetsEncryptRoute53::PRODUCTION

Sample IAM Policy

Here's a policy I have verified works, but I'm sure it can be locked down further, if you desire. You'll need to substitute in your own ARN values.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1470452088000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1470452271000",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": [
                "arn:aws:kms:{region}:{acct}:key/{key-uuid}"
            ]
        },
        {
            "Sid": "Stmt1470452313000",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/{hosted-zone-id}"
            ]
        },
        {
            "Sid": "Stmt1470452313001",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::change/*"
            ]
        },
        {
            "Sid": "Stmt1470452548000",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteServerCertificate",
                "iam:ListServerCertificates",
                "iam:UploadServerCertificate"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1470452636000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:{region}:{acct}:loadbalancer/{lb-name}"
            ]
        }
    ]
}