Auto renew letsencrypt.org SSL certificates provisioned on ACM.
-
git clone [email protected]:j3ko/aws-certbot.git
-
cd aws-certbot
-
Edit
.env.sample
and fill in the required fields -
Build the docker image
docker build -t aws-certbot-builder .
-
Run aws-certbot locally
docker run -it --rm --env-file=./.env.sample -v /var/run/docker.sock:/var/run/docker.sock aws-certbot-builder
Running aws-certbot locally will:
- Check ACM to see if any domains in
DOMAIN_LIST
are expiring soon. - If domains are missing or expiring, certbot runs and generates a new SSL certificate
- Any newly generated certificates are uploaded to ACM
Variable | Description | Required? |
---|---|---|
APP_NAME | Name used for docker images/AWS resources | โ |
AWS_ACCESS_KEY_ID | AWS access key | โ |
AWS_SECRET_ACCESS_KEY | AWS secret access key | โ |
AWS_DEFAULT_REGION | AWS region to use | โ |
DOMAIN_LIST | A list of domains separated by commas and semicolons. The semicolon separates groups of domains, while commas separate individual domains. For example: domain.com,*.domain.com;example.io,staging.example.io |
โ |
DOMAIN_EMAIL | Cloudflare API key with edit.zone permissions | โ |
DAYS_BEFORE_EXPIRATION | Number of days before expiration to request renewal | โ |
LAMBDA_TIMEOUT | Lambda timeout in seconds | โ |
-
Edit
.env.sample
and fill in the required fields -
Build the docker image
docker build -t aws-certbot-builder .
-
Deploy aws-certbot to AWS
docker run -it --rm --env-file=./.env.sample -v /var/run/docker.sock:/var/run/docker.sock aws-certbot-builder ./deploy.sh
- The aws-certbot docker image is built and uploaded to ECR.
- The cloud formation defined in
cloud.yaml
is deployed to run the docker image as a lambda function. - A timer is defined in
cloud.yaml
to execute the lambda function once a day.
- Only Cloudflare-managed domains can currently be used.
- Cloudflare API key is visible in lambda environment variables.
AWS-Certbot is based largely on the following amazing projects: