Easy, Let’s Encrypt Certificates on AWS

Here is a quick tutorial on how you can create free SSL certificates for your AWS deployments.

If you’re on AWS and hosting a large workload, you can actually get free certificates from Amazon by using their Certificate Manager. However these certificates can only be attached to an AWS Load Balancer, an API Gateway instance or a CloudFront distribution.

For small Laravel staging deployments that don’t require a load balancer because you just need one front-end server, it is then not worth the overhead cost as a Load Balancer comes at around $17 per month, depending on the region.

On the other hand, Let’s Encrypt offers a free Certificate Authority service, which means it will sign SSL/TLS certificates for free. The downside is that they expire every 90 days and also the procedure to create these certificates can be laborious. Indeed, you need to prove that you have control over a domain before receiving your certificates, for example by deploying a Nginx server with a validation file on that domain. It’s time-consuming and it’s a pain.

I will show you instead how you can create a Let’s Encrypt certificate for AWS, directly from your development machine, in two command lines.

Requirements: — having the AWS CLI installed and configured — having Certbot installed on your machine : brew install certbot  — having your domain name registered as a hosted zone in Route53 in your AWS account

1. Creating our hook script

Copy the below script in your current directory using the command:wget https://gist.githubusercontent.com/li0nel/4563f8d909e808169c91a5521569ff10/raw/cb1396d07eb91700642b27a4cd92e335498c03ca/auth-hook.sh -O ./auth-hook.sh && chmod +x auth-hook.sh

This will create an executable script that uses the AWS CLI to insert a TXT record in your Route53 DNS records.

The TXT record is then used by Let’s Encrypt servers to verify that you control the domain, by querying the DNS servers for that domain.

2. Execute Certbot

In the same directory, execute the below command, after replacing your_domain.com by your actual domain name and the email by your appropriate email address. Note that this will generate a certificate both for your_domain.com and www.your_domain.com. You can add as many subdomains AFAIK however Let’s Encrypt does not support wildcard certificates.

This might take a couple minutes, but eventually your certificates will be created in a /letsencrypt directory.

For Nginx, the ssl_certificate file you are looking for is fullchain.pem and the ssl_certificate_key is privkey.pem .

Here you go! It took two command lines as promised, and a lot less headache than usual.

Lionel is a senior developer turned devOps and CTO, helping tech companies architecting their web platform in the cloud and building automation in their operations to set them up for success. He geeks out on Terraform, AWS and email marketing automation. Reach out to him on https://getlionel.com

Easy, Let’s Encrypt Certificates on AWS was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.