Use certbot to create Let's Encrypt (https://letsencrypt.org/) certificates. The use of the route53 certbot plugin requires a configuration file containing AWS credentials for an account with permissions to call:
route53:ListHostedZones
route53:GetChange
route53:ChangeResourceRecordSets
See https://certbot-dns-route53.readthedocs.io/en/stable/ for more details.
You need to make your AWS credentials available to certbot when running the container. I found the following 2 options work best:
- Create a credentials file in a directory or volume that can be bound to the container with the run command
- Provide the AWS credentials as part of the run command.
Examples for both options provided below. Once the initial certificate has been created, another docker run command can be added to cron to auto renew the certificate before it expires every 3 months.
- Create a volume or select a directory to store your credentials file. In the example I will use /docker-data/certbot/home in this example:
[default]
aws_access_key_id = XXX
aws_secret_access_key = XXX
-
Create a volume or select a directory that will be used to store your generated certificates. I will use /docker-data/certbot/sslcerts/ in this example.
-
Run the command:
docker run -it --rm --name certbot-route53 \
-v "/docker-data/certbot/sslcerts:/etc/letsencrypt" \
-v "/docker-data/certbot/home:/root" jakezp/certbot-route53 \
certbot certonly --email <your_email> --agree-tos --no-eff-email '
--dns-route53 --dns-route53-propagation-seconds 30 \
-d your_domain
-
Once completed, the certificate files will be available in the */docker-data/certbot-route53/sslcerts/live/<your_domain>/
-
It's recommended not to move the certificate files, but rather to link to them from your application / service.
-
The credentials file will be available for additional certificates and renewals.
-
Create a volume or select a directory that will be used to store your generated certificates. I will use /docker-data/certbot/sslcerts/ in this example.
-
Run the command, specifying the AWS credentials:
docker run -it --rm --name certbot-route53 \
-e "AWS_ACCESS_KEY_ID=<enter_your_own_aws_access_key>" \
-e "AWS_SECRET_ACCESS_KEY=<enter_your_own_aws_secret_key>" \
-v "/docker-data/certbot/sslcerts:/etc/letsencrypt" \
certbot certonly --email <your_email> --agree-tos --no-eff-email '
--dns-route53 --dns-route53-propagation-seconds 30 \
-d your_domain
-
Once completed, the certificate files will be available in the */docker-data/certbot-route53/sslcerts/live/<your_domain>/
-
It's recommended not to move the certificate files, but rather to link to them from your application / service.
-
The credentials will have to be provided every time.
Wildcard certificates can be generated by specifying the following switch in the certbot command and adding your domain as *.domain.com
--server https://acme-v02.api.letsencrypt.org/directory
-
As the credentials file was created when the certificate was first requested, it is still available.
-
Run the command specifying the home volume or directory:
docker run -it --rm --name certbot-route53 \
-v "/docker-data/certbot/sslcerts:/etc/letsencrypt" \
-v "/docker-data/certbot/home:/root" jakezp/certbot-route53 \
certbot renew
- All certificates in the */docker-data/certbot/sslcerts/live/ directories will be renewed
- Run the command, specifying the AWS credentials:
docker run -it --rm --name certbot-route53 \
-e "AWS_ACCESS_KEY_ID=<enter_your_own_aws_access_key>" \
-e "AWS_SECRET_ACCESS_KEY=<enter_your_own_aws_secret_key>" \
-v "/docker-data/certbot/sslcerts:/etc/letsencrypt" \
certbot renew
** The domain or host you request a certificate for must have a valid entry in the AWS Route 53 Host Zone **
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent