Table of Contents

Let's Encrypt Certbot

AWS CloudFront S3 Bucket

Make sure you that you have python 2.7 and pip installed. You will need to make sure that you have a user or EC2 instance IAM role with sufficient policy permissions. https://github.com/dlapiduz/certbot-s3front/blob/master/sample-aws-policy.json

Install certbot with s3front plugin and the awscli;

$ pip install --user certbot certbot-s3front awsli

Make sure that botocore is upgraded;

$ pip install --upgrade botocore --user

When I first ran certbot I received an error;

KeyError: 'IAMCertificateId'

Before certbot successfully ran I had to replace a line in installer.py.
File and location:

/home/ec2-user/.local/lib/python2.7/site-packages/certbot_s3front/installer.py

Incorrect line that needs to be replaced:

if cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:

Correct line:

if 'IAMCertificateId' in cf_cfg['DistributionConfig']['ViewerCertificate'] and cf_cfg['DistributionConfig']['ViewerCertificate']['IAMCertificateId'] == self.certificate_id:

Based on comments of the reported issue on github it sounds like this error will be resolved in a future version of the certbot plugin. https://github.com/dlapiduz/certbot-s3front/issues/76#issuecomment-416308584

Run certbot to obtain SSL certificate and install it on your CloudFront distribution;

certbot --agree-tos -a certbot-s3front:auth --certbot-s3front:auth-s3-bucket SITE.DOMAIN.TLD --certbot-s3front:auth-s3-region us-east-2 -i certbot-s3front:installer --certbot-s3front:installer-cf-distribution-id CFDISTRIBUTIONID -d SITE.DOMAIN.TLD --config-dir ~/.lecbs3 --work-dir ~/.lecbs3 --logs-dir ~/.lecbs3 --email [email protected] --no-eff-email

To automate renewal add the following;

--renew-by-default --text

If you want the original install instructions you can find them on the github site for the plugin. https://github.com/dlapiduz/certbot-s3front


Wildcard with Route53

Make sure you have sufficient permissions to Route53. https://certbot-dns-route53.readthedocs.io/en/stable/#sample-aws-policy-json

Install certbot with s3front plugin and the awscli;

$ pip install --user certbot certbot-route53 awscli

Run certbot to obtain the wildcard cert and allow it to create and remove the needed Route53 records.

certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d *.DOMAIN.TLD,DOMAIN.TLD --config-dir ~/.lecbs3 --work-dir ~/.lecbs3 --logs-dir ~/.lecbs3 -n --email [email protected] --no-eff-email --agree-tos