• Stars
    star
    729
  • Rank 62,157 (Top 2 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created about 9 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

letsencrypt-aws

Note: letsencrypt-aws is not well maintained at this point. You may prefer to use other Let's Encrypt automation solutions, or Amazon's Certificate Manager.

letsencrypt-aws is a program that can be run in the background which automatically provisions and updates certificates on your AWS infrastructure using the AWS APIs and Let's Encrypt.

How it works

letsencrypt-aws takes a list of ELBs, and which hosts you want them to be able to serve. It runs in a loop and every day does the following:

It gets the certificate for that ELB. If the certificate is going to expire soon (in less than 45 days), it generates a new private key and CSR and sends a request to Let's Encrypt. It takes the DNS challenge and creates a record in Route53 for that challenge. This completes the Let's Encrypt challenge and we receive a certificate. It uploads the new certificate and private key to IAM and updates your ELB to use the certificate.

In theory all you need to do is make sure this is running somewhere, and your ELBs' certificates will be kept minty fresh.

How to run it

Before you can use letsencrypt-aws you need to have created an account with the ACME server (you only need to do this the first time). You can register using (if you already have an account you can skip this step):

$ # If you're trying to register for a server besides the Let's Encrypt
$ # production one, see the configuration documentation below.
$ python letsencrypt-aws.py register [email protected]
2016-01-09 19:56:19 [acme-register.generate-key]
2016-01-09 19:56:20 [acme-register.register] email=u'[email protected]'
2016-01-09 19:56:21 [acme-register.agree-to-tos]
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

You'll need to put the private key somewhere that letsencrypt-aws can access it (either on the local filesystem or in S3).

You will also need to have your AWS credentials configured. You can use any of the mechanisms documented by boto3, or use IAM instance profiles (which are supported, but not mentioned by the boto3 documentation). See below for which AWS permissions are required.

letsencrypt-aws takes it's configuration via the LETSENCRYPT_AWS_CONFIG environment variable. This should be a JSON object with the following schema:

{
    "domains": [
        {
            "elb": {
                "name": "ELB name (string)",
                "port": "optional, defaults to 443 (integer)"
            },
            "hosts": ["list of hosts you want on the certificate (strings)"],
            "key_type": "rsa or ecdsa, optional, defaults to rsa (string)"
        }
    ],
    "acme_account_key": "location of the account private key (string)",
    "acme_directory_url": "optional, defaults to Let's Encrypt production (string)"
}

The acme_account_key can either be located on the local filesystem or in S3. To specify a local file you provide "file:///path/to/key.pem" (on Windows use "file://C:/path/to/key.pem"), for S3 provide "s3://bucket-name/object-name". The key should be a PEM formatted RSA private key.

Then you can simply run it: python letsencrypt-aws.py update-certificates.

If you add the --persistent flag it will run forever, rather than just once, sleeping for 24 hours between each check for certificate expiration. This is useful for production environments.

If your certificate is not expiring soon, but you need to issue a new one anyways, the --force-issue flag can be provided.

If you're into Docker, there is an automatically built image of letsencrypt-aws available as alexgaynor/letsencrypt-aws.

Operational Security

Keeping the source of your certificates secure is, for obvious reasons, important. letsencrypt-aws relies heavily on the AWS APIs to do its business, so we recommend running this code from EC2, so that you can use the Metadata service for managing credentials. You can give your EC2 instance an IAM instance profile with permissions to manage the relevant services (see below for complete details).

You need to make sure that the ACME account private key is kept secure. The best choice is probably in an S3 bucket with encryption enabled and access limited with IAM.

Finally, wherever you're running letsencrypt-aws needs to be trusted. letsencrypt-aws generates private keys in memory and uploads them to IAM immediately, they are never stored on disk.

IAM Policy

The minimum set of permissions needed for letsencrypt-aws to work is:

  • route53:ChangeResourceRecordSets
  • route53:GetChange
  • route53:ListHostedZones
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
  • iam:ListServerCertificates
  • iam:UploadServerCertificate
  • iam:GetServerCertificate

If your acme_account_key is provided as an s3:// URI you will also need:

  • s3:GetObject

It's likely possible to restrict these permissions by ARN, though this has not been fully explored.

An example IAM policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:GetChange",
                "route53:GetChangeDetails",
                "route53:ListHostedZones"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "iam:ListServerCertificates",
                "iam:GetServerCertificate",
                "iam:UploadServerCertificate"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

More Repositories

1

what-happens-when

An attempt to answer the age old interview question "What happens when you type google.com into your browser and press enter?"
39,628
star
2

nyt-2020-election-scraper

HTML
1,761
star
3

rply

An attempt to port David Beazley's PLY to RPython, and give it a cooler API.
Python
377
star
4

pretend

A library for stubbing in python
Python
290
star
5

django-ajax-validation

A reusable application to preform ajax validation on django forms.
Python
252
star
6

django-templatetag-sugar

This project exists to make defining template tags in Django kickass
Python
213
star
7

ecs-terraform

ECS + Terraform = Crazy delicious
HCL
203
star
8

csv-sql

Query your CSV files with SQL
Rust
192
star
9

django-fixture-generator

django-fixture-generator is a reusable django application to make writing fixtures not suck.
Python
138
star
10

zero_buffer

zero_buffer is a high-performance, zero-copy, implementation of a byte-buffer for Python.
Python
136
star
11

pyvcs

A pure python abstraction layer of multiple VCS, very lightweight.
Python
128
star
12

django-admin-histograms

A library for simple histograms in Django's admin.
Python
106
star
13

alchimia

Python
103
star
14

rust-asn1

A Rust ASN.1 (DER) serializer.
Rust
99
star
15

django-vcs

A django application for working with a VCS, analagous to some of Trac's features.
Python
86
star
16

just-use

Just Use /dev/urandom -- now with more safety at early boot
Rust
60
star
17

django-wsgi

A library for better integration between django and the WSGI world.
Python
49
star
18

python-decompiler

A decompiler for CPython bytecode
Python
48
star
19

piano-man

Python
44
star
20

django-project-skeleton

A skeleton for Django 1.4's new project template support.
Python
41
star
21

django-resume-builder

Python
36
star
22

line-counter

Like `wc -l`, but in Rust and maybe faster
Rust
29
star
23

django-plugins

A generic plugin system for django.
Python
28
star
24

otp-cop

Tooling for verifying that everyone in your orgs has 2fa enabled.
Rust
28
star
25

nba-gamethread

A game thread generator for r/nba
Python
26
star
26

vcs-translator

Python
25
star
27

bagel

Bagels are delicious
Python
22
star
28

Shore

A statically typed programming language with inspiration from C++, Python, and others.
Python
19
star
29

ct-tools

Some Rust code for submitting a cert to all of Chrome's trusted CT logs and getting back the SCTs
Rust
17
star
30

x509-validator

A pure-Python x509 validation library based on pyca/cryptography
Python
16
star
31

httpfuzz

Python
13
star
32

tracebin

The ultimate performance command and control center for PyPy.
Python
12
star
33

django-object-cache

A reusable django object cache.
12
star
34

tls-stats

A webExtension to collect TLS stats
JavaScript
11
star
35

pyelection

A python application for following the US primaries
Python
10
star
36

recipes

My Recipes
Python
10
star
37

ex-post-progress

Rust
9
star
38

evolves

A Python implementation of a genetic algorithm for generating images from polygons
Python
9
star
39

doc-extractor

Go
8
star
40

tls-cal

Python
8
star
41

election-sim

An application for following and simulating the 2008 US Presidential Election.
Python
7
star
42

alex-s-language

Inteded to be a compiled Python, by translating source files to C++
Python
7
star
43

optimizer-model

A work in progress model for a new optimizer for PyPy's JIT.
Python
7
star
44

http-client-bench

Python
7
star
45

revocation-tracker

Python
7
star
46

flickr-avatars

a small webservice to make getting flickr users' avatars
Python
6
star
47

yaffi

Yet Another FFI
Python
6
star
48

json_writer

Python
5
star
49

rdio-export

JavaScript
4
star
50

space-hogs

A game made in python with pyglet.
Python
4
star
51

csv-to-parquet

Go
3
star
52

independent-study-tracebin

Documentation for my independent study on tracebin
Python
3
star
53

montgomery-ladder-go

An implementation of modular exponentiation using the montgomery ladder in Go.
Go
2
star
54

api-serializer

Random hack, don't use.
Python
2
star
55

azure-pipelines-docker-test

2
star
56

win32k-stuff

JavaScript
2
star
57

client-beta

Go
2
star
58

temp-rust-coverage

Rust
1
star
59

doc8

Python
1
star
60

temp-gha-macos-python

1
star
61

botan-fuzzers

Fuzzer instrumentation for botan
C++
1
star