-
DNS should be configured for your domain. Create your hosted zone for your domain in Route 53, and make sure the domain is either registered there, or fully delegated from your registrar to Route 53.
-
It's recommended that you use a set of AWS credentials scoped to access just the things you need, rather than root credentials that could control your entire AWS account.
-
Currently, your SSLMate account will need to be manually activated to use DNS approval.
Install boto. The easiest way is with pip. This was tested with Python 2.7.9.
pip install botoYou should also find the ID of your hosted zone inside Route 53. Install the aws CLI tool, configure it with credentials, then list your hosted zones:
pip install awscli
aws configure
aws route53 list-hosted-zonesYou'll get a response that includes something like this:
{
"ResourceRecordSetCount": 3,
"CallerReference": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"Config": {
"Comment": "my bit voyage website",
"PrivateZone": false
},
"Id": "/hostedzone/YOUR_ZONE_ID",
"Name": "bit.voyage."
}The hosted zone ID is the trailing part of the Id field. In the above example, that's YOUR_ZONE_ID.
Create a DNS mapping file for each domain you want sslmate to buy, using DNS. Each line should contain:
- the domain (trailing dot!)
- the word
route53 - AWS credentials with Route 53 access
- The AWS hosted zone ID you found above
bit.voyage. route53 YOUR_ACCESS_KEY YOUR_SECRET_KEY YOUR_ZONE_ID
Then add the following line to your SSLMate config file, ~/.sslmate:
dns_approval_map /path/to/dns_map
Run sslmate with a couple extra flags:
sslmate buy --batch --approval=dns [domain]Here's an example of it running for me:
$ ./bin/sslmate buy --batch --approval=dns bit.voyage
Generating private key... Done.
Generating CSR... Done.
Placing order...
route53: Adding CNAME record for e9fd28025d1c2d574f97a3c6f78575e8.bit.voyage....
It may pause for a minute at this point, but after a little while you should see:
Done.
Order complete.
Waiting for ownership confirmation...
Then it will pause for another minute, until finally:
Your certificate is ready for use!
Private key file: bit.voyage.key
Certificate file: bit.voyage.crt
Certificate chain file: bit.voyage.chain.crt
Certificate with chain file: bit.voyage.chained.crt
And there you go. Fully command-line-driven certificate purchasing.
But of course, we don't just want to do this once. Certs expire. And who wants to back up a private key? Let's just throw the key away every few days.
Reissuance is free. And SSLMate's API knows that this domain uses DNS approval, so all you have to do is run:
sslmate reissue [domain]Here's what it looks like for me:
$ ./bin/sslmate reissue bit.voyage
Generating private key... Done.
Generating CSR... Done.
Reissuing cert...
route53: Adding CNAME record for 35bdd7faa3c3d1ba0a50210543451a99.bit.voyage.... Done.
Reissue complete.
Waiting for ownership confirmation...
Your certificate is ready for use!
Private key file: bit.voyage.key
Certificate file: bit.voyage.crt
Certificate chain file: bit.voyage.chain.crt
Certificate with chain file: bit.voyage.chained.crt