Usage of Let’s Encrypt

Hi ,

Can I use Let’s Encrypt for AWS Loadbalancers and hosted LBs? Is it possible to give more than 90 days expiry or the cert should get expire for every 90 days and it gets auto renewed?

Regards
Dev

Hi Dev,

The name of this service is Let’s Encrypt rather than lenscrypt. :slight_smile:

Some people on this forum have described using Let’s Encrypt certificates with ELB. This is certainly allowed from both Let’s Encrypt’s and AWS’s perspective. Often, if you’re using AWS services like ELB, it can be easier to get your certificates directly from AWS instead using the Amazon Certificate Manager (ACM):

https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html

This has a more direct integration with ELB than Let’s Encrypt does, so that might be more convenient.

Let’s Encrypt certificates are always free of charge and always last exactly 90 days. The autorenewal will need to be handled by an ACME client application

which will normally need to run on a server somewhere. The ACME client application requests new certificates from Let’s Encrypt (normally every 60 days) and has to prove continued control over the domain names listed in the certificates. You will then need to use other APIs or scripts to deploy the new certificate data appropriately within the AWS infrastructure, depending on how you’re using it.

This is often not very hard and may even be very easy, but again, you might have an even easier experience with ACM if it works with the way you’re using AWS infrastructure. At least, that’s what I’ve heard from previous forum discussions on this topic!

2 Likes

Thanks @schoen for the detailed information so in case of standalone server do we need to approve on every 60 days renewal, how renewal happens.

Typo mistake has been corrected, Thanks.

By “standalone”, do you mean without using AWS managed load balancers?

If so, it is usually straightforward to setup automatic renewal that does not require any human approval. For example, by following the instructions on https://certbot.eff.org/ or whatever ACME clients are available on your operating system.

Hello,The certbot link for windows says:

Certbot for Windows can currently obtain your certificate from Let’s Encrypt, but not install it into your web server application.

Does it mean if the certificate is installed on IIS webserver , it will not work?

No. It only means you have to install it into IIS by hand or with another tool.

So If I follow the steps to configure the certbot as link says will that going to work?
Do I need to make any changes, I have Windows server with IIS configured with sample web page.

Yes, it will work to obtain the certificate. But like it says in Step 6:

You’ll need to install your new certificate in the configuration file or interface for your webserver.

And you’ll need to do this manually every 60’ish days when it renews.

If you want the whole process to be automated, you’ll need to choose a different client that supports automated IIS installs. There are plenty to choose from here.

As an aside (unrelated to Let’s Encrypt) you can alternatively use BuyPass Go as your ACME certificate provider to get 180 day certificates (with some restrictions, e.g. no wildcards).

If you’re looking for something that covers windows there are many clients available, https://certifytheweb.com (my app) is a GUI and supports both Let’s Encrypt and BuyPass Go directly and will auto install/renew the certificate for IIS sites. Certbot and other command line tools can also be used with any other ACME services, their support for auto installing to IIS etc will vary.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.