===== Let's Encrypt Certbot =====
{{tag>linux aws}}
==== AWS CloudFront S3 Bucket ====
Make sure you that you have python 2.7 and pip installed.  You will need to make sure that you have a user or EC2 instance IAM role with sufficient policy permissions.  https://github.com/dlapiduz/certbot-s3front/blob/master/sample-aws-policy.json

Install certbot with s3front plugin and the awscli;
<code sh>
$ pip install --user certbot certbot-s3front awsli
</code>

Make sure that botocore is upgraded;
<code sh>
$ pip install --upgrade botocore --user
</code>

When I first ran certbot I received an error;
<code>
KeyError: 'IAMCertificateId'
</code>

Before certbot successfully ran I had to replace a line in installer.py.\\
File and location:
<code>
/home/ec2-user/.local/lib/python2.7/site-packages/certbot_s3front/installer.py
</code>

Incorrect line that needs to be replaced:
<code>
if cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
</code>

Correct line:
<code>
if 'IAMCertificateId' in cf_cfg['DistributionConfig']['ViewerCertificate'] and cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:
</code>

Based on comments of the reported issue on github it sounds like this error will be resolved in a future version of the certbot plugin.  https://github.com/dlapiduz/certbot-s3front/issues/76#issuecomment-416308584

Run certbot to obtain SSL certificate and install it on your CloudFront distribution;
<code sh>
certbot --agree-tos -a certbot-s3front:auth --certbot-s3front:auth-s3-bucket SITE.DOMAIN.TLD --certbot-s3front:auth-s3-region us-east-2 -i certbot-s3front:installer --certbot-s3front:installer-cf-distribution-id CFDISTRIBUTIONID -d SITE.DOMAIN.TLD --config-dir ~/.lecbs3 --work-dir ~/.lecbs3 --logs-dir ~/.lecbs3 --email hostmaster@DOMAIN.TLD --no-eff-email
</code>

To automate renewal add the following;
<code>
--renew-by-default --text
</code>

If you want the original install instructions you can find them on the github site for the plugin.  https://github.com/dlapiduz/certbot-s3front

----

==== Wildcard with Route53 ====
Make sure you have sufficient permissions to Route53.  https://certbot-dns-route53.readthedocs.io/en/stable/#sample-aws-policy-json

Install certbot with s3front plugin and the awscli;
<code sh>
$ pip install --user certbot certbot-route53 awscli
</code>

Run certbot to obtain the wildcard cert and allow it to create and remove the needed Route53 records.
<code>
certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d *.DOMAIN.TLD,DOMAIN.TLD --config-dir ~/.lecbs3 --work-dir ~/.lecbs3 --logs-dir ~/.lecbs3 -n --email hostmaster@DOMAIN.TLD --no-eff-email --agree-tos
</code>

----