Skip to content

SnowblindSystems/dns-01-r53

Repository files navigation

Lets Encrypt certificates via route53

This is a simple skeleton for dehydrated + dehydrated-route53-hook-script

This repo uses these projects directly to:

  1. allow you to use the acme staging server to test your process
  2. allow you to register an acme account key
  3. generate SSL keys & CSRs for each line in domains.txt
  4. fulfill acme dns-01 challenges for each CSR using cli53
  5. store the keys, CSRs, and signed certs in a configured directory (default staged/ or certs/)
There are no scripts in this repository, only configuration files and instructions.

Setup skeleton

# full-clone the repository
git clone --recursive https://github.com/SnowblindSystems/dns-01-r53
cd dns-01-r53

# edit  CONTACT_EMAIL  in config.common

# ./d is a symlink to ./dehydrated/dehydrated (inside the git submodule)

# generate & register account key
./d -f config.STAGING --register --accept-terms

# config.PRODUCTION will need its own registration later

AWS Setup

Create an IAM policy with the following rights:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListResourceRecordSets",
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": "arn:aws:route53:::hostedzone/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": "arn:aws:route53:::change/*"
        }
    ]
}
Optionally restrict the policy to specific zones inside the first Allow:
"Resource": [ 
    "arn:aws:route53:::hostedzone/Z12345678901", 
    "arn:aws:route53:::hostedzone/Z12345678901"
]

Create an IAM user for programmatic access with the new policy directly attached

Add the new user's credentials to .credentials

export AWS_ACCESS_KEY_ID=AKIA1234567890124567
export AWS_SECRET_ACCESS_KEY=FakeFAKEfakeFAKEfakeFAKEfakeFAKEfakeFAKE

or ~/.aws/credentials

[default]
aws_access_key_id = AKIA1234567890124567
aws_secret_access_key = FakeFAKEfakeFAKEfakeFAKEfakeFAKEfakeFAKE

Generating + signing certificates

# edit  domains.txt
# see https://github.com/lukas2511/dehydrated/blob/v0.5.0/docs/domains_txt.md

# install cli53 dependency
brew install cli53 # on macOS
# otherwise see https://github.com/barnybug/cli53

# generate keys + csrs, check cert expiry date, and run challenges
./d -f config.STAGING --cron

If that works; repeat using config.PRODUCTION

Crontab

The script will only renew certs if they are within RENEW_DAYS days from expiry. (default 30).

@daily path/to/repo/d --config path/to/repo/config.PRODUCTION --cron  >/dev/null

See the main repos for more:

Todo

  • Screenshots for AWS setup