Integrating AWS Roles Anywhere with Let’s Encrypt

rohitdbatra · May 7, 2024, 10:42am

Hi,

I was referring to below topic Integrating AWS Roles Anywhere with Let’s Encrypt to integrate AWS Roles Anywhere with Let’s Encrypt

I am not able to as-is cabundle.pem in AWS IAM Anywhere (Create a trust anchor) UI. Error I am getting is Certificate is equivalent to, or issued by, a public CA

Let me know if I am missing any important config ?

Thanks,
Rohit D Batra

rohitdbatra · May 7, 2024, 10:43am

FYI : @griffin , @rmbolger

rohitdbatra · May 7, 2024, 10:44am

FYI : @virshu

MikeMcQ · May 7, 2024, 3:17pm

Problems configuring AWS Roles Anywhere is probably better directed to AWS Support or related forum.

The thread you linked had good comments by @rmbolger of security risks using any public CA for this purpose. Be sure you research this fully.

Are you having trouble getting a cert from Let's Encrypt? Or is it just a problem configuring AWS?

You did not mention your domain name but if it is caboodle.com I don't see a Let's Encrypt cert issued for it. Just one from a GoDaddy parking site.

rohitdbatra · May 7, 2024, 3:34pm

Hi Mike

I am having trouble using Let’s Encrypt certificate cabundle.pem shared in the thread by @griffin

For AWS IAM role anywhere AFAIK no domain is required

Thanks,
Rohit D Batra

rmbolger · May 7, 2024, 3:39pm

I don't have any insight or experience about this AWS feature. I only skimmed the docs when the last thread came up. But it wouldn't surprise me if AWS specifically added a guardrail that prevents people from using a public CA for this service. It seemed like a terrible idea even if it was possible to lock down.

MikeMcQ · May 7, 2024, 3:45pm

Glad you corrected the typo in your first post

I am not able to as-is caboodle.pem in AWS IAM Anywhere

I don't use that AWS feature but a quick read looks like you use a trusted root and not the intermediate bundle. But, perhaps @griffin can add to that.

I still think AWS Support or re:Post is better place for configuration help with that.

mcpherrinm · May 7, 2024, 8:34pm

"AWS Roles anywhere" cannot be used with a public CA like Let's Encrypt.

It is designed to be used with a private CA.

jvanasco · May 7, 2024, 10:17pm

I believe you are correct. All their docs teach towards private CAs. Allowing public CAs to be registered in this capacity would be a giant security vulnerability, and there is no real benefit to risk allowing Public CAs.

I re-opened the old post to cross-link against this one. I can't seem to close it though, only archive.

aarongable · May 7, 2024, 11:51pm

(We have not yet begun issuing from R10 and R11; that change is scheduled to happen on June 6th.)

Regardless, please do not attempt to set up AWS Roles Anywhere with Let's Encrypt as the trusted CA.

rohitdbatra · May 8, 2024, 9:18am

Thanks all for your response

Please close the case

Regards,
Rohit D Batra

rg305 · May 8, 2024, 2:26pm

topics are "closed" when a post is marked as the solution
Is there a post that solved it?

Topic		Replies	Views
Integrating AWS Roles Anywhere with Let's Encrypt Help	4	1515	May 7, 2024
Lets encrypt at AWS Help	2	615	September 13, 2022
How do I get the Certificate Authority Bundle?	3	15677	December 10, 2015
Certificates for non-public domains Feature Requests	18	61128	April 11, 2022
New to Letsencrypt. Some questions Help	4	792	June 2, 2021

Integrating AWS Roles Anywhere with Let’s Encrypt

Related topics