Skip to main content

Certbot Wildcard Certificate with AWS Route 53

448 words·
Certbot Wildcard Certificate AWS Route 53
Table of Contents

This tutorial shows how to create a wildcard certificate for example *jklug.work with Certbot and AWS Route 53.

Certbot
# 

# Insall Certbot
sudo apt install certbot

# Check certbot version
certbot --version

# Shell Output:
certbot 1.21.0

Python & PIP
# 

# Install Python and Pip
sudo apt install python3 python3-pip

# Install Certbot Route 53 Plugin (use same version as certbot)
pip3 install certbot_dns_route53==1.21.0

AWS
#

AWS Permission
#

Go to: Go to “Route 53 / Hosted zones” and copy the Hosted Zone ID of your Hosted Zone.

Create the following AWS IAM Permission and replace “Hosted-Zone-ID” with the ID of your Route 53 Hosted Domain Zone:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Hosted-Zone-ID"
            ]
        }
    ]
}

Create AWS Access Keys
#

Create an IAM User, attach the Permission and create the AWS Access Keys. It should look like this:

AWS Access Key ID: AKIARCBUALFN5TSOMUHI
AWS Secret Access Key: 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
Default Region: eu-central-1


Install AWS CLI
# 

# Download AWS CLI Zip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

# Install Zip Tool
sudo apt install unzip

# Unzip AWS CLI Zip
unzip awscliv2.zip

# Install AWS CLI
sudo ./aws/install

# Check Version
aws --version

# Add AWS Access Keys
aws configure

Certificate
#

Create Directory for Certbot:

mkdir -p /home/ubuntu/letsencrypt/config/ &&
mkdir -p /home/ubuntu/letsencrypt/log/ &&
mkdir -p /home/ubuntu/letsencrypt/work/

Request Certificate
#

Use the following Command to Request the Certificate:

certbot certonly -d jklug.work -d *.jklug.work --dns-route53 --logs-dir /home/ubuntu/letsencrypt/log/ --config-dir /home/ubuntu/letsencrypt/config/ --work-dir /home/ubuntu/letsencrypt/work/ -m juergen@jklug.work --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory

Shell Output:

Saving debug log to /home/ubuntu/letsencrypt/log/letsencrypt.log
Requesting a certificate for jklug.work and *.jklug.work

Successfully received certificate.
Certificate is saved at: /home/ubuntu/letsencrypt/config/live/jklug.work/fullchain.pem
Key is saved at:         /home/ubuntu/letsencrypt/config/live/jklug.work/privkey.pem
This certificate expires on 2023-10-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Find / Copy the Certificates
#

ls ~/letsencrypt/config/archive/jklug.work

cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem

Check the Certificate
#