Skip to content

Instantly share code, notes, and snippets.

@tache

tache/README-SSL-Certificates.md

Last active June 15, 2017 16:38
Show Gist options
  • Save tache/d1b6d592d1aa56ab90e7 to your computer and use it in GitHub Desktop.
Save tache/d1b6d592d1aa56ab90e7 to your computer and use it in GitHub Desktop.
Download ZIP
LetsEncrypt and AWS
Raw
README-SSL-Certificates.md

#Using LetsEncrypt SSL certificates on AWS

This is a document for managing the LetsEncrypt certificates on AWS for Cloudfront and Opsworks.

##Setup

The following are instructions for using LetsEncrypt under Mac OS. It is for a single token for a single server.

It is an active project, so make sure you do a pull every so often.

mkdir -p ~/GitHub/Opensource2/
cd ~/GitHub/Opensource2/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

##Local webserver

LetsEncrypt is currently built to be installed on a web-server and periodically, which is every 90 days, request certs. Since I am installing on AWS, my workaround is to install locally and then upload to AWS.

Basically what the LetsEncrypt script does is create a token in your local app's directory structure, then notifies the LetsEncrypt service, which then queries you server for the token. If successful, it generates your certificate in the /etc/letsencrypt/archive directory.

First, Configure your firewall to pass port 80 to your development machine. For instance, I am listening to port 80 and pushing via NAT to port 5556 of my rails app.

Second, ensure that you have any type of web-server running on the local machine and accessible via the above. I used the production rails app, but I was running it on my development machine.

##LetsEncrypt

###Obtaining the Certificate via LetsEncrypt

Creating certificates where <fqdn> is the full domain name of the server, for which you want the cert.

./letsencrypt-auto certonly --webroot -w ~/<your app>/public/ -d <fqdn>

If all goes well, your certificate will be in /etc/letsencrypt/archive/

##Amazon Web Services

####CloudFront

Uploading the certificate to AWS

The value for --server-certificate-name <cert name> is just an arbitrary label you provide. It does not have to be the name of the server.

The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces. (http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html)

also, note the special CloudFront consideration

If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the --path option. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/). (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs_manage.html#UploadSignedCert)

aws iam upload-server-certificate --server-certificate-name <cert name> --certificate-body file://cert1.pem --private-key file://privkey1.pem --certificate-chain file://lets-encrypt-x1-cross-signed.pem

updating the cert on AWS.

aws iam upload-server-certificate --server-certificate-name <cert name> --certificate-body file://cert1.pem --private-key file://privkey1.pem --certificate-chain file://lets-encrypt-x1-cross-signed.pem --path <cloudfront path name>

####OpsWorks

To use the certificates in your Rails app, configure the SSL Settings section.

##Useful Commands for managing certificates To see the list of certs that with expiration dates.

aws iam list-server-certificates --output text --query 'ServerCertificateMetadataList[*].[Expiration,ServerCertificateName]' | sort

To see the full detail of the cert.

aws iam get-server-certificate   --server-certificate-name <cert name> --output text --query 'ServerCertificate.CertificateBody' | openssl x509 -text | less
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment