Let’s Encrypt Wildcard Certificate Configuration with AWS Route 53


yum install python-certbot-nginx python3-certbot-dns-route53
 find the zone id from aws route53 panel    
 satya.com.np zone id:-xxxx

 1.create a custom policy with json from route53 policy section
 Hosted Zone ID:xxxx
 {
   "Version": "2020-07-05",
   "Id": "letsencrypt-mac policy",
   "Statement": [
     {
       "Effect": "Allow",
       "Action": ["route53:ListHostedZones", "route53:GetChange"],
       "Resource": ["*"]
     },
     {
       "Effect": "Allow",
       "Action": ["route53:ChangeResourceRecordSets"],
       "Resource": ["arn:aws:route53:::hostedzone/xxxx"]
     }
   ]
 }

 2.Create IAM user  and assign the create custom policy to that user
 You’ll also have to select “Programmatic Access” under “Access type”.
 you’ll be presented with your access and secret keys.
 IAMuser:-letsencrypt-mac 

 3.add in bash_profile 
 export AWS_ACCESS_KEY_ID=aaaaaaaa
 export AWS_SECRET_ACCESS_KEY='bbbbbbb'

 4.now generate new certificate from that server
 certbot certonly \
 -n \
 --agree-tos \
 --email [email protected] \
 -d satya.com.np \
 -d '*.satya.com.np' \
 --dns-route53 \
 --preferred-challenges=dns \
 --logs-dir /tmp/letsencrypt \
 --config-dir ~/etc/letsencrypt \
 --work-dir /tmp/letsencrypt 

 5.###renew###
 certbot renew --dns-route53 --logs-dir /tmp/letsencrypt --config-dir /etc/letsencrypt/config/ --work-dir /tmp/letsencrypt --non-interactive --server https://acme-v02.api.letsencrypt.org/directory

 6.crontab
 0 */12 * * * root certbot -q renew --renew-hook 'service nginx reload' >> /var/log/letsencrypt/renew.log

Leave a Reply

Your email address will not be published. Required fields are marked *