Neil Kuan
May 17, 2020

Let’s Encrypt

Posted on May 17, 2020  •  2 minutes  • 307 words

小弟的域名雖然託管在 Route53 上面 ,也知道 AWS 也有提供 ACM 搭配 ELB 憑證託管的免費方案,但有時候申請幾張 憑證來用是相當實用的。

Let’s Encrypt 的數位憑證認證機構(CA )推出免費 SSL/TLS 憑證服務,也在年底正式對外開放。這是什麼呢?簡單來說,以往想為你的網站加入 SSL 加密協定(HTTPS ,也就是網址列上的綠色鎖頭圖示),必須支付一筆費用來申請憑證,但有了 Let’s Encrypt 後將能免費申請憑證,且這一過程非常簡單、自動化。

值得注意的是 Let’s Encrypt 提供的憑證只有90天,每60天可以更新(renew)憑證。 Certbot 提供相當完整的安裝指引,到 來做到自動化的更新憑證。

並且 Certbot 還有提供 docker image 使安裝 Certbot 更快速且簡單,不會污染到環境。

docker hub

因為我的domain 託管在 Route53 Certbot 更是有提供搭配 route 53 驗證憑證的方法,更有可以調用 route53 驗證 ,給予憑證的 role or iam user 需要的 IAM Policy 如下:

    "Version": "2012-10-17",
    "Id": "certbot-dns-route53 sample policy",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect" : "Allow",
            "Action" : [
            "Resource" : [
                "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"  <- 要換成您的

Certbot-route53 docs

現在假設您的執行環境是 EC2 (ubuntu) , EC2 的 IAM Role 也已 attach 上述的 IAM Policy 。 # run image and set .aws default config in container

$ docker run -it --rm  --entrypoint ash certbot/dns-route53

# 將YOUR_DOMAIN 換成您拖管在 route53 的 domain name , YOUR_EMAIL 換成您的 Email。
# 進入 container 內。
certbot certonly --agree-tos \
   --dns-route53 \
   --dns-route53-propagation-seconds 30 \
   -d *.${YOUR_DOMAIN} -m ${YOUR_EMAIL} --eff-email 

# 等待大概 30 s 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/${YOUR_DOMAIN}/fullchain.pem   <- 憑證在這
   Your key file has been saved at:
   /etc/letsencrypt/live/${YOUR_DOMAIN}/privkey.pem     <- key 在這
   Your cert will expire on 2020-08-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          
/etc/letsencrypt/live/${YOUR_DOMAIN}/fullchain.pem   <- 憑證在這
Your key file has been saved at:
/etc/letsencrypt/live/${YOUR_DOMAIN}/privkey.pem     <- key 在這

然後再把 憑證複製出來即可 。

2020年5月17日 Neil Kuan

Follow me

Here's where I hang out in social media