ProHoster > Blog > Administration > Let's Encrypt SSL certificate management automation using DNS-01 challenge and AWS
Let's Encrypt SSL certificate management automation using DNS-01 challenge and AWS
The post describes the steps to automate the management of SSL certificates from Let's Encrypt CA using DNS-01 challenge ΠΈ AWS.
acme-dns-route53 is a tool that will allow us to implement this feature. It can work with SSL certificates from Let's Encrypt, store them in Amazon Certificate Manager, use the Route53 API to implement the DNS-01 challenge, and, finally, push notifications to SNS. IN acme-dns-route53 there is also built-in functionality for use inside AWS Lambda, which is what we need.
This article is divided into 4 sections:
creating a zip file;
creating an IAM role;
creating a lambda function that runs acme-dns-route53;
creating a CloudWatch timer that triggers a function 2 times a day;
acme-dns-route53 is written in GoLang and supports at least version 1.9.
We need to create a zip file with the binary acme-dns-route53 inside. For this you need to install acme-dns-route53 from the GitHub repository using the command go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53
The binary is installed in $GOPATH/bin directory. Please note that during installation we specified two environment variables: GOOS=linux ΠΈ GOARCH=amd64. They make it clear to the Go compiler that it needs to create a binary suitable for Linux OS and amd64 architecture - this is what runs in AWS.
AWS expects our program to be deployed in a zip file, so let's create acme-dns-route53.zip archive that will contain the newly installed binary:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53
Note: The binary must be in the root of the zip archive. For this we use -j flag.
Now our zip-nickname is ready for deployment, it remains only to create a role with the necessary rights.
Creating an IAM role
We need to set up the IAM role with the permissions our lambda needs when it executes.
Let's call this policy lambda-acme-dns-route53-executor and immediately give her a basic role AWSLambdaBasicExecutionRole. This will allow our lambda to run and write logs to the AWS CloudWatch service.
First, we create a JSON file that describes our rights. This will essentially allow lambda services to use the role lambda-acme-dns-route53-executor:
Now let's run the command aws iam create-role to create a role:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.json
Note: remember the policy ARN (Amazon Resource Name) - we will need it in the next steps.
Role lambda-acme-dns-route53-executor created, now we need to specify permissions for it. The easiest way to do this is to use the command aws iam attach-role-policy, passing policy ARN AWSLambdaBasicExecutionRole in the following way:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Note: a list with the rest of the policies can be found here.
Creating a lambda function that runs acme-dns-route53
Hooray! Now we can deploy our function on AWS using the command aws lambda create-function. The lambda must be configured using the following environment variables:
AWS_LAMBDA - makes it clear acme-dns-route53 that the execution happens inside AWS Lambda.