Generate SSL Certificates using Letsencrypt

This document explains how to generate and renew SSL certificates using Let's Encrypt and how to automate the certificate issuance and renewal process with the AWS Route53 plugin.

Procedure for creating a certificate manually

The steps to generate SSL certificates are given below.

• Install letsencrypt and certbot.

sudo apt install certbot

• Generate Certificate.

sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *.openg2p.sandbox.net -d openg2p.sandbox.net

• Since the preferred challenge is DNS type, the above command asks for _acme-challenge. Create the _acme-challenge TXT DNS record accordingly, and continue with the above prompt to generate certs.

• The generated certs must be present in /etc/letsencrypt directory.

Renew certificates

• Run the same generate certs command to renew certs.

sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *.openg2p.sandbox.net -d openg2p.sandbox.net

• The above command generates a new pair of certificates. The DNS challenge needs to be performed again, as prompted.

• Restart Nginx

sudo systemctl restart nginx

Procedure for automatically creating and renewing a certificate using the AWS Route 53 Plugin

This will help you obtain and renew SSL certificates from Let’s Encrypt using Certbot and the AWS Route 53 plugin. The Route 53 plugin automates DNS validation by creating and deleting the necessary DNS records.

Steps for Using Let’s Encrypt with the AWS Route 53 Plugin

• You need an AWS account with Route 53 hosted zones configured.

• Create an IAM user with the following permissions and have Route53FullAccess role:

• Save the access key and secret key for this user.

• Ensure Certbot is installed on your server. If not, install it

• You must own a domain name and have it configured in Route 53.

• Download and Configure AWS CLI on nginx node as root user.

  • Download AWS CLI using below commands.

  • Certbot requires access to your AWS credentials to interact with Route 53. Run the command aws configureas root user to set up your AWS credentials, which will prompt you for your AWS IAM user's access key, secret key, and default region. Then verify your AWS CLI configuration by running

• Use Certbot with the Route 53 plugin to request a certificate replace openg2p.sandbox.org with your domain. Once the certificate is generated, it will inform you that it will automatically renew when nearing expiry and systemd timer (certbot.timer) and service (certbot.service) are created in the /lib/systemd/system directory for automatic renewals.

  Note

  If you're running an Nginx server on the same node, you can add a post-hook to restart it after a certificate renewal. Simply create the file /etc/letsencrypt/renewal-hook/post/nginx-restart.sh with the command to restart Nginx. And for more info on certbot auto-renewal refer here