Letsencrypt is an excellent service for obtaining totally free security encryption certificates. Fortunately, it also has a marvelous client named Certbot. Let's install it.
In the most recent versions of Ubuntu (16.04 and newer), it's possible to install Certbot automatically using native operating system repositories. It's preferable: you'll get a global executable and a package update management out of a box. Just type the following command, and you're in business:
apt-get install certbot
If it's not an option for any reason, you can always check out the Github repository manually. In that case, you should choose an installation directory and create a global symlink by yourself.
git clone https://github.com/certbot/certbot
Generate certificates manually
To generate a certificate we need to confirm that we have control over the domain. The standard practice is to launch a Letsencrypt process on ports 80 or 443. As we can't start anything on the Cloudfront distribution or s3 servers itself, we need to use a manual validation. Let's assume that our app is running on the my-awesome-cloudfront-app.com address. Run the following command:
certbot-auto certonly --manual -d my-awesome-cloudfront-app.com
The Certbot wizard will ask you to create the file with particular content. Create it and place at the required path. Wait a few minutes after that to ensure the CloudFront cache is updated (if necessary) or verification may fail. It looks like we've got our certificates.
Apply certificates to the CloudFront distribution
We'll use the AWS CLI tool to upload the certificates to Cloudfront. Let's begin and upload one:
aws iam upload-server-certificate --server-certificate-name certificate_name --certificate-body file:///etc/letsencrypt/live/my-awesome-cloudfront-app.com/cert.pem --private-key file:///etc/letsencrypt/live/my-awesome-cloudfront-app.com/privkey.pem --certificate-chain file:///etc/letsencrypt/live/my-awesome-cloudfront-app.com/chain.pem --path /cloudfront/
A few things you may need to know about the last command:
- The name must be unique — you can't have multiple certificates with the same name. And you can't just use the same name to replace the existing one.
- Don't be afraid of the strange file:/// windows-like prefix. It's for Linux.
- The /etc/letsencrypt/live/my-awesome-cloudfront-app.com/ directory will always be a symlink to a directory with your latest certificates for the domain. The previous ones will not go anywhere — you can locate them in the /etc/letsencrypt/archive subdirectory.
- The particular `path` argument is necessary to make Cloudfront aware of you certificates. You can upload them to any path, but you simply will not find them in the web console of Cloudfront.
If you've made a mistake or you just want to delete an obsolete certificate, use the following command:
aws iam delete-server-certificate --server-certificate-name certificate_name`
Enjoy your secure web!