GithubHelp home page GithubHelp logo

begmaroman / acme-dns-route53 Goto Github PK

View Code? Open in Web Editor NEW
24.0 2.0 12.0 95 KB

Tool to obtain certs from Let's Encrypt using DNS-01 challenge with Route53 and Amazon Certificate Manager

Go 85.90% HCL 14.10%
golang managing-certificates amazon acm go aws letsencrypt ssl aws-lambda aws-lambda-golang certificates sns terraform

acme-dns-route53's Introduction

acme-dns-route53 is the tool for obtaining SSL certificates from Let's Encrypt CA using DNS-01 challenge with Route53 and Amazon Certificate Manager by AWS.

Features:

  • Register with CA
  • Creating the initial server certificate
  • Renewing already existing certificates
  • Support DNS-01 challenge using Route53 by AWS
  • Store certificates into ACM by AWS
  • Managing certificates of multiple domains within one request
  • Build-in AWS Lambda tolerance

Installation:

Make sure that GoLang already installed

go install github.com/begmaroman/acme-dns-route53

Credentials:

Use of this tool requires a configuration file containing Amazon Web Services API credentials for an account with the following permissions:

  • sns:Publish (optional)
  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets
  • acm:ImportCertificate
  • acm:ListCertificates
  • acm:DescribeCertificate

These permissions can be captured in an AWS policy like the one below. Amazon provides information about managing access and information about the required permissions

Example AWS policy file:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "acm:ImportCertificate",
                "acm:ListCertificates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "sns:Publish",
                "route53:GetChange",
                "route53:ChangeResourceRecordSets",
                "acm:ImportCertificate",
                "acm:DescribeCertificate"
            ],
            "Resource": [
                "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:*",
                "arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>",
                "arn:aws:route53:::change/*",
                "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
            ]
        }
    ]
}

The access keys for an account with these permissions must be supplied in one of the following ways:

  • Using the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
  • Using a credentials configuration file at the default location, ~/.aws/config.
  • Using a credentials configuration file at a path supplied using the AWS_CONFIG_FILE environment variable.

Example credentials config file:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Usage:

  • Domains (required) - use --domains flag to determine comma-separated domains list, certificates of which should be obtained. Example:

    $ acme-dns-route53 obtain --domains=testserver.com,testserver1.com,testserver2.com --email=<email>

  • Let's Encrypt Email (required) - use --email flag to determine Let's Encrypt account email. If account's private key is not provided, registers a new account. Private key expected by path <config-dir>/<email>.pem. Example:

    Path: /tmp/letsencrypt/[email protected]

    Content:

    -----BEGIN RSA PRIVATE KEY-----
somecontentoftheprivatekey
-----END RSA PRIVATE KEY-----

  • Let’s Encrypt ACME server - defaults to communicating with the production Let’s Encrypt ACME server. If you'd like to test something without issuing real certificates, consider using --staging flag:

    $ acme-dns-route53 obtain --staging --domains=<domains> --email=<email>

  • Configuration directory - defaults the configuration data storing in the current directory (where the CLI runs). If you'd like to change config directory, set the desired path using --config-dir flag:

    $ acme-dns-route53 obtain --config-path=<config-dir-path> --domains=<domains> --email=<email>

  • SNS Notification topic - if you'd like to send a notification to SNS, provide SNS Topic ARN using --topic flag:

    $ acme-dns-route53 obtain --domains=<domains> --email=<email> --topic=arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC_NAME>

  • Renew Before - is the number of days defining the period before expiration within which a certificate must be renewed:

    $ acme-dns-route53 obtain --domains=<domains> --email=<email> --renew-before=7

Usage by AWS Lambda:

For the latest information regarding usage by AWS Lambda see the instruction

Links:

Let's Encrypt Website: https://letsencrypt.org

Community: https://community.letsencrypt.org

Amazon Certificate Manager: https://aws.amazon.com/certificate-manager

Route53 by AWS: https://aws.amazon.com/route53

Lambda by AWS: https://aws.amazon.com/lambda

ACME spec: http://ietf-wg-acme.github.io/acme/

Dependencies:

Inspired by:

acme-dns-route53's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

johannesreiss christiankniep neil-jubinville scottdear techiewarrior circleous daleboy unloadedroe fiianalytics larte

acme-dns-route53's Issues

feature addition: store cert/key in s3

Hello! Thank you so much for making this tool, it does almost exactly what I need it to :)

I have a few use-cases in which I need access to the private key of a generated certificate. As this is not accessible once stored in ACM, would you accept a PR that introduces support for storing certs/private keys in s3 as an alternative destination?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.