This policy needs to be revisited. I see the prior thread on this topic from years ago, but ALL ip addresses and dns entries are essentially "Ephemeral" and thinking it might get re-assigned is a slippery slope because all dns entries could be re-assigned. adding a DNS entry for an ec2 ip address is trivial anyway - the policy does not add value in my opinion.
Welcome to the community @kpconnell
Can you please explain the Let's Encrypt policy that needs revisiting? Or, at least a link to the "prior thread" you mention.
I use Let's Encrypt on EC2 instances all the time. It is a common service.
I'm guessing OP means the fact LE refuses to issue certs for hostnames which are essentially more of a PTR for an EC2 instances IP address, e.g. 198-51-100-7.something.ec2.amazom.com
or something similar.
A fair guess. So, just get a domain name in Route53 and use an Elastic IP
Yes, the prohibition on ec2.amazon.com - of course, you can add an A record or CNAME to any domain - but that is exactly my point - given that - what's the point of the prohibition?
Staff or someone else may need to weigh in but you don't own those names AWS does. I stop/start EC2 instances often without using Elastic IP and I get different EC2 names each time. They might have been used by someone else before. LE doesn't know how persistent any one particular name is.
The EC2 name is more like an alias for an IP address and LE does not grant certs using the IP address as the name.
The same is true of any IP address, or on a slightly different timescale, any dns domain.
The relevant scale is the lifetime of a Let's Encrypt certificate.
It is worth noting that ec2.amazon.com
is not on the Public Suffix List, which implies that Amazon does not want end users to be able to generate certificates for these domains as well, as multiple Amazon domains are enrolled in that list. Without Amazon supporting those domains on the PSL, there are considerable security risks due to browser sandbox models, and it is essentially impossible for LetsEncrypt to support that domain due to rate limits.
I don't know the specifics of the LetsEncrypt ban on ec2 domains, but it's really a moot point until Amazon decides they want to allow it. IIRC, amazonaws.com
is on a blocklist for phishing concerns, but does have subdomains on the PSL.
If you want the feature, you should lobby Amazon to reverse their decision and have them make the arguments to LetsEncrypt.