Automate renewing SSL Certificate with AWS

Help
1

Hi guys,

My domain is milan.com
The instance is: amazon linux
So every 3 months i need to renew my ssl certificate and i am doing it manually.
So in AWS I have hosted zones -> milan.com
The steps i am doing is ->
When i am in the instance logged i enter this command: sudo certbot --manual --preferred-challenges dns certonly. Then I manually enter all the domains that i need to be renewed like alpha.milan.com, milan.com, inter.milan.com and etc. (*.milan.com ). Then the output provide me TXT Records for every domain which i need to change txt record in the AWS. Then after i change all txt record in the AWS, i restart the httpd service on the instance.
!!! milan.com is example !!!

Best Regards,
Milan

2

AWS is Route53, right? Certbot has a DNS plugin for Route53, so you might be able to automate things. See Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation for more information.

Note that when/if you've got the DNS plugin working, it should be enough to run sudo certbot renew to renew your certificate(s). This is usually done with a cronjob or systemd timer, which may or may not be already installed, depending on how you've installed Certbot to begin with.

4 Likes
3

Automating DNS-challenge based LetsEncrypt certificates with AWS Route 53 | by John Rix | Medium , do you think that this state will do the job ? Only to modify the cron job for long time and add a script for the httpd service to restart. Do you think 1 or 2 minutes are okay for the httpd service to restart after the cron job for the renewing?

4

I think you are overcomplicating the process.
A cron job that runs immediately after renewal attempts would reload/restart the httpd service way too often.
Certs last 90 days.
They only need to be renewed after 60 days [default].
The renewal process runs and first checks to see if any certs need to be renewed.
Most of the times, there is nothing to renew.

Either:

  • use a deploy-hook to reload/restart the httpd service [which is only triggered when a cert is actually renewed]
  • schedule the reload/restart without any regard to the cert state [like once a week (every week) during off hours]
    The cert should renew 30 days ahead of expiry - that should cover four reloads/restarts.
4 Likes
5

Hello,
Thanks for the answer :slight_smile: So I entered the command sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d domain.com -d up.domain.com and all went great and successfully :slight_smile: So what i understand from your message is that , every 60 days the certbot will automatically update the certificates without nothing additional to do after the command that I entered before ? No need anything else to do ? Only adding the deploy-hook or schedule reload

7

Yes.
That command will only renew the cert ["certonly"].
So, at some point you must update whatever is using the old cert to use the updated cert.
Using a deploy-hook is ideal - but there plenty of ways to get [essentially] the same result.

5 Likes
8

Okay, thanks a lot :slight_smile: You helped me a lot with the other person. Have a nice day.

3 Likes
9

You too!
Cheers from Miami :beers:

4 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.