See ymkjp/elb_update_cert if you prefer source code but not messy human document :p
Updated at 2016-01-23: Amazon launched AWS Certificate Manager. It should be the easiest way to use certificate on ELB. See more detail at New – AWS Certificate Manager – Deploy SSL/TLS-Based Apps on AWS | AWS Official Blog.
Updated at 2016-01-23: Amazon launched AWS Certificate Manager. It should be the easiest way to use certificate on ELB. See more detail at New – AWS Certificate Manager – Deploy SSL/TLS-Based Apps on AWS | AWS Official Blog.
Step 0: Create AWS environment
Omitting description to set up VPC, EC2, ELB...
Step 1: Create new policy for the batch script
Firstly, go to https://console.aws.amazon.com/iam/home.
Select Policies > Create Policy > Create Your Own Policy > Set Permissions.
Let's name the policy whatever you want, for example
letsencrypt-aws, and fill following JSON to "Policy Document":{
"Version": "2016-01-20",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:UploadServerCertificate",
"iam:DeleteServerCertificate"
],
"Resource": [
"*"
]
}
]
}
Step 2: Create new user to execute script
Create new user at Users > Create New Users.
Do not forget to download the user's credentials.
Then attach the policy
letsencrypt-aws which you just created at step #1 to the user.Can't find the policy? Try filtering policies by "Filter: Customer Managed Policies".
Step 3: Install packages
Login to the host, and install required packages.
sudo yum update sudo yum install -y git nginx libffi-devel puppet libffi-devel puppet httpd24 jq sudo /etc/init.d/nginx start sudo chkconfig nginx on
Step 4: Set up Nginx
Edit nginx.conf to add a location directive for Let's Encrypt.
vi /etc/nginx/nginx.conf
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
# ...
# For Let's Encrypt
location ^~ /.well-known/acme-challenge {
root /var/www/letsencrypt;
access_log /var/log/nginx/access_letsencrypt.log;
error_log /var/log/nginx/error_letsencrypt.log;
}
}
Restart Nginx proceess to apply the new configuration.
sudo service nginx restart
Step 5: Let's try executing
Execute commands below:
cd /home/ec2-user/ git clone https://github.com/ymkjp/elb_update_cert.git git clone https://github.com/letsencrypt/letsencrypt vi /home/ec2-user/elb_update_cert/elb_update_cert.sh # Edit as yours sudo aws configure --profile elb_update_cert # Add the user you set up sudo bash elb_update_cert.sh
Working well?
Move on to the next step.
Step 6: Add cron job
Congrats. This is the final step!
sudo cp /home/ec2-user/elb_update_cert/etc/cron.d/elb_update_cert /etc/cron.d
All done!
This cron job is going to refresh your domain's certificate on ELB every month.
High five!
Any questions?
Comment to this article, or create "New issue" at https://github.com/ymkjp/elb_update_cert/issues.
Further work
- Create Docker image for step #3 to #6
- Create template by AWS CloudFormation
Hope this helps you.
Cheers!
Author:
0 件のコメント:
コメントを投稿