Using Let's Encrypt with AWS ELB

Hello,

I am looking for SSL certs for my production environment. Please guide.

Hi @muddassir

There is very little chance people will guide you with an open question like that.

Youtube - lets encrypt + you web server
Google - lets encrypt + your web server

Once you have an approach in mind if you need further clarifications then feel free to ask but open ended guide me questions with little details aren’t the best way to get help

Andrei

@muddassir Take a Look here: https://certbot.eff.org

Thanks for the kind words.
but i want to use letsencrypt with aws Elastic loadbalancer. Please share

https://blog.alejandrocelaya.com/2016/08/16/setup-a-lets-encrypt-certificate-in-a-aws-elastic-load-balancer/

many thanks.

please let me know the document path is necessary. what if we are using node server as web-server and runnig the app at 443 port behind elastic load balancer

There are three ways to validate your control of a domain name with Let's Encrypt.

I wrote a lot of documentation about this which I will quote here:

Digital certificates can only be issued to people who are entitled to them. For example, assuming you don’t run google.com, you’re not entitled to a certificate for it. Nor is someone else entitled to receive a certificate for your web site.

In order to receive a certificate from Let’s Encrypt certificate authority (CA), you have to prove your control over each of the domain names that will be listed in the certificate. You can do so by making certain publicly-visible changes, proving that the person who’s requested a particular certificate is the same person who controls the site(s) that the certificate will refer to.

Let’s Encrypt specifies three different ways to prove your control over a domain (each of which Certbot may be able to do for you). These are called “challenges,” because you are being challenged to perform tasks that only someone who controls the domain should be able to accomplish.

When you use Certbot, it will attempt to help you prove control over your domains automatically in a way that’s acceptable to the CA. Especially if this doesn’t work the way you expected, it can be helpful to understand what Certbot is trying to do in each case.

The three ways to prove your control over a domain for the Let’s Encrypt CA are:

Posting a specified file on a web site

This method is called the HTTP-01 challenge. In this challenge, the certificate authority will expect a specified file to be posted in a specified location on a web site. The file will be downloaded using an HTTP request on TCP port 80. Since part of what this challenge shows is the ability to create a file at an arbitrary location, you cannot choose a different location or port number.

Offering a specified certificate on a web site

This method is called the TLS-SNI-01 challenge. In this challenge, the certificate authority will expect a specified digital certificate to be provided by the web server in response to an HTTPS request using a particular made-up domain name. The request will be made using HTTPS on TCP port 443. You cannot choose a different port number.

This certificate is a self-signed certificate created by Certbot. You use it only temporarily to prove your control over a domain name. It’s not the same as the certificate for your site that will later be issued by Let’s Encrypt once you’ve proven that you control the site.

Posting a specified DNS record in the domain name system

This method is called the DNS-01 challenge. In this challenge, the certificate authority will expect a specified DNS record to be present in your DNS zone when queried for. The record will be a TXT record for a specific subdomain of the name you’re proving your control over.

For each kind of challenge, the challenge can potentially be completed automatically (Certbot directly makes the necessary changes itself, or runs another program that does so), or manually (Certbot tells you to make a certain change, and you edit a configuration file of some kind in order to accomplish it). Certbot’s design emphasizes performing challenges automatically, and this is the normal case for most uses of Certbot.

If you're using a Node server directly, you might not be serving any files out of the filesystem, and might also not be able to configure a custom certificate. This will make using either of the HTTP-01 or TLS-SNI-01 challenges difficult.

However, if you're not using port 80 at all, but if it is nonetheless reachable and not blocked by a firewall, the problem should be very simple, using --standalone in Certbot, which can create a temporary web server.

This might look like

certbot certonly --standalone --preferred-challenges http-01 -d example.com -d www.example.com

where example.com is your domain name. If this works, the certificate will be obtained but not installed; you will then have to edit your Node web server configuration to use the resulting certificate.

1 Like

Still i am facing the same issue. i m runnig node server app on 8080 and redirecting 80 port to 8080 in firewall.please responde

created. when these certs will be delted. do i need to renew. can i generate .pfx cert for siging.

The certificate will expire after 90 days and it does need to be renewed.

There have been other threads on this forum where people have explained how to create PFX files:

https://community.letsencrypt.org/search?q=pfx

Let’s Encrypt certificates are only valid for server authentication and not for code signing.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.