Skip to main content

Let's Encrypt Wildcard Certificate with Certbot and AWS Route 53

448 words·
AWS Certbot Wildcard Certificate Route 53
Table of Contents

This tutorial shows how to create a wildcard certificate for example *jklug.work with Certbot and AWS Route 53.

Certbot
# 

# Insall Certbot
sudo apt install certbot

# Check certbot version
certbot --version

# Shell Output:
certbot 1.21.0

Python & PIP
# 

# Install Python and Pip
sudo apt install python3 python3-pip

# Install Certbot Route 53 Plugin (use same version as certbot)
pip3 install certbot_dns_route53==1.21.0

AWS
#

AWS Permission
#

Go to: Go to “Route 53 / Hosted zones” and copy the Hosted Zone ID of your Hosted Zone.

Create the following AWS IAM Permission and replace “Hosted-Zone-ID” with the ID of your Route 53 Hosted Domain Zone:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Hosted-Zone-ID"
            ]
        }
    ]
}

Create AWS Access Keys
#

Create an IAM User, attach the Permission and create the AWS Access Keys. It should look like this:

AWS Access Key ID: AKIARCBUALFN5TSOMUHI
AWS Secret Access Key: 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
Default Region: eu-central-1


Install AWS CLI
# 

# Download AWS CLI Zip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

# Install Zip Tool
sudo apt install unzip

# Unzip AWS CLI Zip
unzip awscliv2.zip

# Install AWS CLI
sudo ./aws/install

# Check Version
aws --version

# Add AWS Access Keys
aws configure

Certificate
#

Create Directory for Certbot:

mkdir -p /home/ubuntu/letsencrypt/config/ &&
mkdir -p /home/ubuntu/letsencrypt/log/ &&
mkdir -p /home/ubuntu/letsencrypt/work/

Request Certificate
#

Use the following Command to Request the Certificate:

certbot certonly -d jklug.work -d *.jklug.work --dns-route53 --logs-dir /home/ubuntu/letsencrypt/log/ --config-dir /home/ubuntu/letsencrypt/config/ --work-dir /home/ubuntu/letsencrypt/work/ -m juergen@jklug.work --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory

Shell Output:

Saving debug log to /home/ubuntu/letsencrypt/log/letsencrypt.log
Requesting a certificate for jklug.work and *.jklug.work

Successfully received certificate.
Certificate is saved at: /home/ubuntu/letsencrypt/config/live/jklug.work/fullchain.pem
Key is saved at:         /home/ubuntu/letsencrypt/config/live/jklug.work/privkey.pem
This certificate expires on 2023-10-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Find / Copy the Certificates
#

ls ~/letsencrypt/config/archive/jklug.work

cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem

Check the Certificate
#