Cape Town to London

A blog about tech, ethics & startups

Generate an HTTPS cert using LetsEncrypt

This article is the third in a series of articles outlining how to setup a highly available, scalable, serverless single page application (SPA) using AWS S3.

In the previous article, I went over how to setup a custom domain for our app with Amazon Route 53.

In this article I will cover:

  • Installing CertBot to automatically generate signed TLS certificates.
  • Using CertBot with the DNS challenge to create a TLS certificate.
  • Creating TXT records in Route 53 to verify domain ownership to CertBot.
  • Importing our certificates to AWS Certificate Manager

Is it really so easy?

With the movement to a more secure web comes the adoption of HTTPS. This migration would be much harder if there wasn't companies out there doing their best to make securing your site fast an simple.

Install CertBot

Once you have purchased a domain via Godaddy, AWS etc. You will need to download CertBot. This tool is an easy way to interface to the LetsEncrypt server.

CertBot does not currently support Windows. In this case I can recommend spinning up an EC2 instance and using putty to SSH to the instance.

LetsEncrypt DNS Challenge

In the default mode, CertBot needs to be run from an instance that is hosting your website. Because we are hosting on AWS we do not have the option of connecting to the instance - unless we reassign the DNS to point to an instance.

So in our case we'll use the dns-challenge option with CertBot. This option will generate a string that you can add to your DNS to prove that you have control of the domain. Let's generate the cert for both the naked domain and the www domain:

$ sudo certbot certonly --manual --preferred-challenges dns \
                        -d \

Createing the TXT DNS records

If you are following the series on creating a app on S3 then you will be using Route53 for DNS management.

Go to Route 53 in the AWS Management Console and then select the hosted zone for your app.

Create a new Record Set, name it _acme-challenge and make it a TXT record. Update the value to match the outputted string (you may need to surround the value with double quotes " if there are some backslashes etc).

[caption id="attachment_192" align="aligncenter" width="279"]Creating a TXT record in route 53 Creating a TXT record in Route 53[/caption]

In your console when you hit enter, you'll be prompted with a record for the www domain. Complete the above steps for the www domain.

Before you hit the final enter to generate the certs, I recommend using a DNS checker tool such as DNSChecker to validate that the NS record has propagated. If the record has not properly propagated then the generation step will fail. You'll have to start the process again.

Adding your Certs to AWS Certificate Manager

Hitting enter for the last time will generate the cert and complete the signing process.

By default, your required certs and keys will be in /etc/letsencrypt/live/

We'll be adding these certs into the AWS Certificate Manager. Because the goal is to eventually add this onto a CloudFront distribution, we need to make sure to add the certs to the N.Virginia (us-east-1) region.

If you are only interested in using the cert to secure traffic to a load balancer then you can import the cert to the same region as the load balancer.

CloudFront can only attach AWS Certificate Manager certificates hosted in the N.Virginia (us-east-1) region.
Go to Certificate Manager in the AWS Management Console. Make sure you're in the N.Virginia region (indicated in the top right panel). Choose import a certificate.

For the three fields you'll need to copy the text certificates from your letsencrypt directory. It's sufficient to use cat to show the text and copy and paste the output to the Certificate Manager.

  • Certificate Body - cert.pem
  • Certificate private key - privkey.pem
  • Certificate chain - chain.pem
[caption id="attachment_197" align="aligncenter" width="700"]Adding Certificates to AWS Certificate Manager Adding Certificates to AWS Certificate Manager[/caption]

Select review and then import.

Next Steps

We've now imported a valid TLS certificate and key into AWS Certificate Manager. In the next article I'll go over: