Deploy renewed certificates to aws using deploy hooks


#1

Hi everyone,
First of all thanks for your awesome services.
I’m automating certificate renewal process. In this process, we’re uploading our LE certificates to aws load balancer. So whenever a certificate get renewed, it should be updated on aws as well. Awscli command used to reimport certificate to aws certificate manager include certificate arn(just like ID) e.g.
sudo aws acm import-certificate --certificate file://$RENEWED_LINEAGE/cert.pem --private-key file://$RENEWED_LINEAGE/privkey.pem --certificate-chain file://$RENEWED_LINEAGE/chain.pem --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901

I’m thinking to place it inside renewal_hooks/deploy directory as deploy hook script, so that whenever a certificate gets renewed it will deploy on aws, but got stuck on how to handle this certificate arn which is different for every certificate. Is there any way we can achieve this as there are multiple certificates which cannot use same script ?

Thanks in advance.


#2

First of all, You don’t need to use one script for every certificate.

When you issue that certificate initially, you could specify the script you use to deploy certificate after issuance (and you could specify the ARN inside that script)

In another case, you could use the script to load ARN datas from a file, then use the domain argument to match the ARN. (This is just a thought…)

Thank you


#3

You could consider using a hook with a structure like this, where it’s a no-operation if a mapping is not defined for the lineage:

#!/usr/bin/env bash

set -euf -o pipefail

# Configure your certificate to ACM mappings here
declare -A targets
targets["/etc/letsencrypt/live/example.org"]="arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901";
targets["/etc/letsencrypt/live/other.org"]="arn:aws:acm:region:123456789012:certificate/12345678-4321-4321-4321-109876543210";

if [ ${targets[$RENEWED_LINEAGE]+_} ]; then
  aws acm import-certificate --certificate file://$RENEWED_LINEAGE/cert.pem --private-key file://$RENEWED_LINEAGE/privkey.pem \
  --certificate-chain file://$RENEWED_LINEAGE/chain.pem --certificate-arn ${targets[$RENEWED_LINEAGE]}
fi

#4

Thanks @stevenzhu & @_az, will try your solutions & update here.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.