How do I get a Let's Encrypt SSL certificate for a domain with multiple IP addresses?

Help
1

How do I get a Let's Encrypt SSL certificate for a domain with multiple IP addresses, when each IP address is for an AWS LightSail instance with the Bitnami Node.js blueprint?

Also, I need to auto-renew my Let's Encrypt SSL certificate for a domain with multiple IP addresses, without any manual execution.

I have a domain set up on AWS Route 53 with three IP addresses, with the simple routing AWS Route 53 policy; so, when a request is made on the domain, any one of the three IP addresses can be used to contact a server.

Each IP address is for a Node.js server running on an AWS LightSail instance with the Bitnami Node.js blueprint; each Node.js server runs two or more Express.js servers on different ports.

No separate load balancer; the Node.js backend web app running two or more Express.js servers on each AWS LightSail instance performs job re-distribution to another AWS LightSail instance when needed.

Considering what's in Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application, it seems that the Bitnami tools for getting a Let's Encrypt SSL certificate isn't for a domain with multiple IP addresses.

While doing some research on the Internet for finding information on getting a Let's Encrypt SSL certificate for a domain with multiple IP addresses, I came across Certbot (Getting Started - Let's Encrypt, https://certbot.eff.org/, About Certbot), which I am unfamiliar with, and may need to look into for getting a Let's Encrypt SSL certificate for a domain with multiple IP addresses.

I also came across the following, somewhat-relevant potential references, but none of them clearly and decisively gives an answer on getting a Let's Encrypt SSL certificate for a domain with multiple IP addresses.

I have not looked into Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation yet, but my hunch is that this is highly relevant to getting a Let's Encrypt SSL certificate for a domain with multiple IP addresses with the domain configured on AWS Route 53.

How do I get a Let's Encrypt SSL certificate for a domain with multiple IP addresses, when the domain is configured on AWS Route 53, when each IP address is for an AWS LightSail instance with Bitnami Node.js blueprint, when I need to auto-renew the Let's Encrypt SSL certificate for a domain with multiple IP addresses?

Which would be the best method for getting a Let's Encrypt SSL certificate for a domain with multiple IP addresses, for my aforementioned backend configuration?

2

There are many ways to handle your situation. A DNS Challenge using your Route53 domain is probably best.

One key concern with multiple servers like that is Let's Encrypt Rate Limits. You can only get five identical certs per week. Of course, that allows all 3 of your servers to get their own at the same time but if you needed to refresh them all for some reason one of the requests would fail. And, if you scale beyond this you can imagine the problems. See Rate limits: Rate Limits - Let's Encrypt

Further, Let's Encrypt cert requests can fail anyway for temporary reasons so you need to factor that in your plans. You can't expect a fresh server instance to "wake up" and rapidly get a cert 100% of the time.

One general approach is to use a dedicated server of some kind which just gets a cert and stores it in a location common to all your server instances (perhaps S3 or EFS for example). Then each of your running servers periodically refresh their cert files from this common location.

Choosing your ACME Client to get the cert depends on what kind of system you use to acquire the certs. You might be able to use something like lego on bitnami if its cert-manager does not support Route53 DNS Challenges. I am not expert for bitnami.

3 Likes
3

Two things:

1- As stated above, you should use a central system to obtain all the certs, and distribute them to the servers. Some ACME clients use coordinated cloud storage for this, some ACME users will use post-issuance hooks to rysnc or otherwise deploy the certs to their infrastructure.

2- As mentioned above, DNS-01 is a good solution. Another solution is to have all domains redirect the HTTP-01 /acme-challenge directory to a single system.

For instance, Given example.com has 3 DNS entries:

  • set up acme-auth.example.com with only 1 DNS entry.
  • install a redirect on all 3 example.com servers to redirect the .well-known/acme-challenge directory to acme-auth.example.com/well-known/acme-challenge
  • run the client to obtain certs on acme-auth.example.com
  • letsencrypt will follow all the redirects to the central location; now only that server needs to send the correct response.
  • use a deploy-hook from that server to distribute to the other machines.

A DNS hook would allow you to obtain/issue from the same machine, however:

1- You will run into rate-limit issues and one malfunctioning server can essentially take down the others.
2- automatic renewal with DNS introduces some security issues; if you can not properly lock down API tokens to only affect these specific renewal records, you will want to set up a subdomain/alternate-domain as a namespace and run a secondary dns system on that (like acme-dns or an isolated commercial dns account) to safely sandbox those credentials.

5 Likes
4

If they're using Route 53, it does support locked-down credentials that you can configure to only allow updates for TXT _acme-challenge records.

4 Likes
5

Thank you for your answers; they addressed some of the concerns and questions I had on this issue, and taught me something I didn't know about Let's Encrypt SSL certificate.

In order to find a way to get a Let's Encrypt SSL certificate for a domain with multiple IP addresses, I asked ChatGPT, "How do I get a Let's Encrypt SSL certificate for a domain with multiple IP addresses, when each IP address is for an AWS LightSail instance with Bitnami Node.js blueprint?", in the GPT-4o, o1, o3-mini, and o3-mini-high language models, which all gave some useful, sometimes overlapping, but incomplete answers.

ChatGPT o1 model gave the most useful answers, covering "Option 1: Use DNS-01 (TXT record) validation", and "Option 2: Use HTTP-01 but ensure every server responds correctly".

I also asked ChatGPT, "How do I use Certbot to get a Let's Encrypt SSL certificate for a domain with multiple IP addresses, when the domain is configured on AWS Route 53?", in the GPT-4o, o1, o3-mini, and o3-mini-high language models.

ChatGPT GPT-4o gave the most detailed answers, with step-by-step instructions, which were missing some necessary details, contained some inaccuracies and incompleteness that I found out when I actually tried the given procedure. ChatGPT GPT-4o also gave a Linux Certbot command for auto-renewing Let's Encrypt SSL certificate, which is sudo certbot renew --dns-route53 --quiet. The ChatGPT GPT-4o given procedure had to be modified and improved, in order to be fully accurate and complete for execution.

Using the ChatGPT answers and other references (mainly Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation), I created the following written procedure for getting a Let's Encrypt SSL certificate for a domain with multiple IP addresses, using DNS-01 (TXT record) validation, when the domain is configured on AWS Route 53, when each IP address is for an AWS LightSail instance with Bitnami Node.js blueprint, when I need to auto-renew the Let's Encrypt SSL certificate for a domain with multiple IP addresses.

I've successfully acquired a Let's Encrypt SSL certificate for a domain with multiple IP addresses using the following procedure that I wrote and fully tested.

Multiple-IP-address domain Let's Encrypt SSL certificate acquisition procedure (written using ChatGPT and Google AI provided answers, and Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation, as the main references)

  1. Create an AWS IAM user (named lets-encrypt-multi-ip-address-ssl-certificate-getter, for example) with a policy (named LetsEncryptAwsRoute53Policy, for example) for AWS Route 53 domain record update permission, so that Certbot can perform Let's Encrypt DNS-01 (TXT record) validation using the AWS Route 53 API with the AWS IAM user credentials; the Let's Encrypt DNS-01 (TXT record) validation issues an SSL certificate for a domain by creating a TXT record in the domain record before validation, then deleting it after validation, so that the domain is issued an SSL certificate without contacting and validating all the servers via the IP addresses in the domain record.
    1.1. Using the LetsEncryptAwsRoute53Policy JSON template below, create the final LetsEncryptAwsRoute53Policy JSON; YOURHOSTEDZONEID can be found by visiting the AWS Route 53 console, selecting Hosted zones on the left pane, selecting the hosted zone with the domain, and expanding the Hosted zone details section.
    1.2. Visit the AWS IAM console.
    1.3. Select Users on the left pane.
    1.4. Select Create user.
    1.5. Type lets-encrypt-multi-ip-address-ssl-certificate-getter as the user name. Do not select "Provide user access to the AWS Management Console - optional".
    1.6. Select Next.
    1.7. Select "Attach policies directly" under Permissions options.
    1.8. Select Create policy.
    1.9. Select JSON under Policy editor.
    1.10. Copy the LetsEncryptAwsRoute53Policy JSON, and paste it into the Policy editor box in the AWS IAM Create policy console.
    1.11. Select Next.
    1.12. Type LetsEncryptAwsRoute53Policy in the Policy name box.
    1.13. Select Create policy.
    1.14. Close the Policies AWS IAM console web browser tab, and get back to the Create user AWS IAM console web browser tab.
    1.15. Select the Refresh policies button in the Permissions policies section so that the newly created LetsEncryptAwsRoute53Policy will be loaded.
    1.16. Type LetsEncryptAwsRoute53Policy in the Permission policies search box.
    1.17. Select LetsEncryptAwsRoute53Policy.
    1.18. Select Next.
    1.19. Select Create user.
    1.20. Generate, download, and store the Access Key ID and Secret Access Key of this AWS IAM user that Certbot will use to access the AWS Route 53 API for Let's Encrypt DNS-01 (TXT record) validation.
    1.20.1. Select lets-encrypt-multi-ip-address-ssl-certificate-getter in the AWS IAM Users console.
    1.20.2. Select "Create access key" in the Summary section.
    1.20.3. Select Other.
    1.20.4. Select Next.
    1.20.5. Select Create access key.
    1.20.6. Select Show under Secret access key.
    1.20.7. Record and store access key and secret access key in a safe place.
    1.20.8. Select Download .csv file; save the store access key and secret access key CSV file in a safe place.
    1.20.9. Select Done.
  2. On each AWS LightSail instance (that may later auto-renew Let's Encrypt SSL certificate for the multiple-IP-address domain), enable AWS Route 53 API access by storing the AWS IAM lets-encrypt-multi-ip-address-ssl-certificate-getter user credentials in the ~/.aws/config file. For more information, refer to Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation and Configuration - Boto3 1.37.11 documentation (apparently, Certbot AWS Route 53 plugin uses AWS Route 53 API via boto3, a Python module for AWS API). Note that the Certbot command for getting an SSL certificate must be ran as a superuser on AWS LightSail instance with Bitnami Node.js blueprint, because the Certbot executable needs access to '/var/log/letsencrypt/.certbot.lock', which only the root user can access; as such, the ~/.aws/config must be in the superuser's home directory, and the Certbot executable must be ran as a superuser.
    2.1. Using the AWS IAM lets-encrypt-multi-ip-address-ssl-certificate-getter user credentials config file contents template below, create the AWS IAM lets-encrypt-multi-ip-address-ssl-certificate-getter user credentials config file contents, using the YOUR_ACCESS_KEY_ID and YOUR_SECRET_ACCESS_KEY created and recorded earlier.
    2.2. Launch an SSH terminal for the AWS LightSail instance.
    2.3. Execute sudo su in the terminal to log in as the superuser.
    2.4. If the directory ~/.aws/ does not already exist, execute mkdir ~/.aws/ in the terminal.
    2.5. Execute nano ~/.aws/config in the terminal.
    2.6. Copy the AWS IAM lets-encrypt-multi-ip-address-ssl-certificate-getter user credentials config file contents, and paste it into the nano editor view in the terminal.
    2.7. Press Ctrl+O to save the file.
    2.8. Press Enter to save to the file named "config".
    2.9. Press Ctrl+X to exit the nano editor.
    2.10. Execute exit in the terminal to log out of the superuser mode.
  3. On each AWS LightSail instance, install Certbot and Certbot AWS Route 53 plugin by performing the following commands on a terminal window.
    3.1. Execute sudo apt update.
    3.2. Execute sudo apt install certbot.
    3.3. Execute sudo apt install python3-certbot-dns-route53.
  4. On an AWS LightSail instance, execute the Certbot command to acquire a Let's Encrypt SSL certificate for the domain with multiple IP addresses.
    4.1. Execute sudo certbot certonly --dns-route53 -d domain.com in the terminal, with domain.com replaced with your domain, and follow the instructions.
    4.2. Copy the SSL certificate files to the user home directory and change their owner settings, so that they can be accessed by the user, not only the superuser.
    4.2.1. Execute sudo cp /etc/letsencrypt/live/domain.com/fullchain.pem /home/bitnami/fullchain.pem.
    4.2.2. Execute sudo cp /etc/letsencrypt/live/domain.com/privkey.pem /home/bitnami/privkey.pem.
    4.2.3. Execute sudo chown bitnami /home/bitnami/fullchain.pem.
    4.2.4. Execute sudo chown bitnami /home/bitnami/privkey.pem.
    4.2.5. Execute sudo chgrp bitnami /home/bitnami/fullchain.pem.
    4.2.6. Execute sudo chgrp bitnami /home/bitnami/privkey.pem.
  5. On the local work computer, execute scp commands to download the Let's Encrypt SSL certificate files. (Example scp commands below.)
    5.1. Execute scp -i 'C:\Users\Allen\Documents\AWS\LightsailDefaultKey-us-east-1.pem' bitnami@AWS_LIGHTSAIL_INSTANCE_IP_ADDRESS_1:"/home/bitnami/fullchain.pem" 'C:\Users\Allen\Documents\source code\fullchain.pem' on the local work computer.
    5.2. Execute scp -i 'C:\Users\Allen\Documents\AWS\LightsailDefaultKey-us-east-1.pem' bitnami@AWS_LIGHTSAIL_INSTANCE_IP_ADDRESS_1:"/home/bitnami/privkey.pem" 'C:\Users\Allen\Documents\source code\privkey.pem' on the local work computer.
  6. On the local work computer, execute scp commands to upload the Let's Encrypt SSL certificate files to the other AWS LightSail instances. (Example scp commands below.)
    6.1. Execute scp -i 'C:\Users\Allen\Documents\AWS\LightsailDefaultKey-us-east-2.pem' 'C:\Users\Allen\Documents\source code\fullchain.pem' bitnami@AWS_LIGHTSAIL_INSTANCE_IP_ADDRESS_2:"/home/bitnami/fullchain.pem" on the local work computer.
    6.2. Execute scp -i 'C:\Users\Allen\Documents\AWS\LightsailDefaultKey-us-east-2.pem' 'C:\Users\Allen\Documents\source code\privkey.pem' bitnami@AWS_LIGHTSAIL_INSTANCE_IP_ADDRESS_2:"/home/bitnami/privkey.pem" on the local work computer.
    6.3. Execute scp -i 'C:\Users\Allen\Documents\AWS\LightsailDefaultKey-us-west-2.pem' 'C:\Users\Allen\Documents\source code\fullchain.pem' bitnami@AWS_LIGHTSAIL_INSTANCE_IP_ADDRESS_3:"/home/bitnami/fullchain.pem" on the local work computer.
    6.4. Execute scp -i 'C:\Users\Allen\Documents\AWS\LightsailDefaultKey-us-west-2.pem' 'C:\Users\Allen\Documents\source code\privkey.pem' bitnami@AWS_LIGHTSAIL_INSTANCE_IP_ADDRESS_3:"/home/bitnami/privkey.pem" on the local work computer.

LetsEncryptAwsRoute53Policy JSON template

{
    "Version": "2012-10-17",
    "Id": "certbot-dns-route53 sample policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
            ]
        }
    ]
}

lets-encrypt-multi-ip-address-ssl-certificate-getter user credentials config file contents template

[default]
aws_access_key_id=YOUR_ACCESS_KEY_ID
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.