Auto renew letsencrypt.org SSL certificates provisioned on ACM.
-
git clone [email protected]:j3ko/aws-certbot.git -
cd aws-certbot -
Edit
.env.sampleand fill in the required fields -
Build the docker image
docker build -t aws-certbot-builder . -
Run aws-certbot locally
docker run -it --rm --env-file=./.env.sample -v /var/run/docker.sock:/var/run/docker.sock aws-certbot-builder
Running aws-certbot locally will:
- Check ACM to see if any domains in
DOMAIN_LISTare expiring soon. - If domains are missing or expiring, certbot runs and generates a new SSL certificate
- Any newly generated certificates are uploaded to ACM
| Variable | Description | Required? |
|---|---|---|
| APP_NAME | Name used for docker images/AWS resources | โ |
| AWS_ACCESS_KEY_ID | AWS access key | โ |
| AWS_SECRET_ACCESS_KEY | AWS secret access key | โ |
| AWS_DEFAULT_REGION | AWS region to use | โ |
| DOMAIN_LIST | A list of domains separated by commas and semicolons. The semicolon separates groups of domains, while commas separate individual domains. For example: domain.com,*.domain.com;example.io,staging.example.io |
โ |
| DOMAIN_EMAIL | Cloudflare API key with edit.zone permissions | โ |
| DAYS_BEFORE_EXPIRATION | Number of days before expiration to request renewal | โ |
| LAMBDA_TIMEOUT | Lambda timeout in seconds | โ |
-
Edit
.env.sampleand fill in the required fields -
Build the docker image
docker build -t aws-certbot-builder . -
Deploy aws-certbot to AWS
docker run -it --rm --env-file=./.env.sample -v /var/run/docker.sock:/var/run/docker.sock aws-certbot-builder ./deploy.sh
- The aws-certbot docker image is built and uploaded to ECR.
- The cloud formation defined in
cloud.yamlis deployed to run the docker image as a lambda function. - A timer is defined in
cloud.yamlto execute the lambda function once a day.
- Only Cloudflare-managed domains can currently be used.
- Cloudflare API key is visible in lambda environment variables.
AWS-Certbot is based largely on the following amazing projects: