Skip to content

paul/letsencrypt-route53

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

Ruby LetsEncrypt Route53 Update tool

This is a tool I wrote for a personal project, but isn't really useful as a gem on its own. In fact, you probably shouldn't use this code verbatim, but feel free to fork/copy and make changes you need.

See letsencrypt.example.rake for an example of how this could be used. You could also wrap the same functionality in an ActiveJob and kick it off with cron or the clockwork gem.

ssl_checker.rb

Use this to determine if your certificate is nearing expiration. Example usage:

if SslChecker.new(host: "www.github.com").expires_in < 30.days
  update_certificate!
end

lets_encrypt_route53.rb

This provides several helper methods, each of which are lightly documented inline. There's also a main "meta-method", refresh_certificate!, which performs all the steps needed to update a certificate on S3.

Notes:

  • Looks for an existing encrypted key in the provided S3 bucket.
  • If none exists, will generate a new private key, encrypt it with an AWS Key Management Service (KMS) key, and upload it to S3. You're responsible for creating the KMS key yourself, and providing the kms_key_id value.
  • Defaults to using the Lets Encrypt sandbox. To switch it to production, set endpoint to LetsEncryptRoute53::PRODUCTION

Sample IAM Policy

Here's a policy I have verified works, but I'm sure it can be locked down further, if you desire. You'll need to substitute in your own ARN values.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1470452088000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1470452271000",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": [
                "arn:aws:kms:{region}:{acct}:key/{key-uuid}"
            ]
        },
        {
            "Sid": "Stmt1470452313000",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/{hosted-zone-id}"
            ]
        },
        {
            "Sid": "Stmt1470452313001",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::change/*"
            ]
        },
        {
            "Sid": "Stmt1470452548000",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteServerCertificate",
                "iam:ListServerCertificates",
                "iam:UploadServerCertificate"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1470452636000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:{region}:{acct}:loadbalancer/{lb-name}"
            ]
        }
    ]
}

About

A set of tools to perform a Lets Encrypt DNS01 update on Route53

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages