Let’s Make Wildcard Certificates with Certbot, Docker, and Route53

In case you haven’t heard, Let’s Encrypt now supports wildcard certificates as a feature of the new ACME v2 protocol. However, current client support is still somewhat limited, as the Let’s Encrypt CA requires domain validation via DNS-01 challenge. To further complicate things, DNS-01 requires programmatic access to your nameservers. But let’s assume you are already using Route53 and you’re looking for the simplest way to begin issuing wildcard certificates for your hosted zones. You’ll need an up-to-date ACME client, such as the latest version of Certbot. Chances are your server distro is not that bleeding-edge. That’s where Docker comes in.

Let’s take a look at how to quickly set up a Docker container for Certbot to issue wildcard certificates via Let’s Encrypt.

What You’ll Need

You’ll need a few things to get started:

  • A domain name set up to use Amazon Route53 nameservers.
  • A set of AWS credentials configured with the appropriate Route53 permissions (details below).
  • A functioning Docker instance on your web server.

Create the Docker Script

Let’s start by creating a working directory for our Docker image:

$ mkdir ~/certbot-docker
$ cd ~/certbot-docker

Now throw the following code into a file named ~/certbot-docker/certbot-docker.sh:

#!/bin/sh

sudo docker run -it --rm --name certbot \
--env AWS_CONFIG_FILE=/etc/aws-config \
-v "${PWD}/aws-config:/etc/aws-config" \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/dns-route53 certonly --server https://acme-v02.api.letsencrypt.org/directory

Notice the part where it mentions the file ${PWD}/aws-config. Next we need to create that file using your AWS API credentials.

Provide Your AWS API Credentials

The ~/certbot-docker/aws-config file should look like this:

[default]
aws_access_key_id=XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

If you haven’t set up the API credentials yet, login to the AWS IAM console and create a group with the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "route53:GetChange",
        "route53:ListHostedZones"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": "route53:ChangeResourceRecordSets",
      "Resource": "arn:aws:route53:::hostedzone/*"
    }
  ]
}

Special thanks to the author of this forum post for pointing me in the right direction.

Leave a Reply

Your email address will not be published. Required fields are marked *