Skip to content

Commit

Permalink
Add Cloudfront and ElasticBeanstalk support
Browse files Browse the repository at this point in the history
Refactor Certificates into AWSCertificate sub-classes,
 allowing for the easy adding of new listener providers
 in the future. CloudFront and ElasticBeanstalk are both
 implemented this way. Fix alex#41

Also, add the --cert-only flag, fix alex#13

This PR supersedes alex#44 and partially alex#17
  • Loading branch information
kageurufu committed May 11, 2016
1 parent a3ce2e2 commit cdaf9f3
Show file tree
Hide file tree
Showing 2 changed files with 208 additions and 83 deletions.
31 changes: 26 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,24 @@
automatically provisions and updates certificates on your AWS infrastructure
using the AWS APIs and Let's Encrypt.

`letsencrypt-aws` is currently capable of managing certificates for Elastic
Load Balancer, Elastic Beanstalk, and CloudFront

## How it works

`letsencrypt-aws` takes a list of ELBs, and which hosts you want them to be
able to serve. It runs in a loop and every day does the following:
`letsencrypt-aws` takes a list of domains, which hosts you want them to be
able to serve, and the provider serving them. It runs in a loop and every day
does the following:

It gets the certificate for that ELB. If the certificate is going to expire
It gets the certificate for that provider. If the certificate is going to expire
soon (in less than 45 days), it generates a new private key and CSR and sends a
request to Let's Encrypt. It takes the DNS challenge and creates a record in
Route53 for that challenge. This completes the Let's Encrypt challenge and we
receive a certificate. It uploads the new certificate and private key to IAM
and updates your ELB to use the certificate.
and updates your provider to use the certificate.

In theory all you need to do is make sure this is running somewhere, and your
ELBs' certificates will be kept minty fresh.
Provider's certificates will be kept minty fresh.

## How to run it

Expand Down Expand Up @@ -57,6 +61,14 @@ environment variable. This should be a JSON object with the following schema:
"name": "ELB name (string)",
"port": "optional, defaults to 443 (integer)"
},
"cloudfront": {
"id": "CloudFront distribution ID (string)"
},
"elasticbeanstalk": {
"name": "Application name (string)",
"environment": "Environment name (string",
"port": "optional, defaults to 443 (integer)"
},
"hosts": ["list of hosts you want on the certificate (strings)"],
"key_type": "rsa or ecdsa, optional, defaults to rsa (string)"
}
Expand All @@ -66,6 +78,11 @@ environment variable. This should be a JSON object with the following schema:
}
```

Only one provider (`elb`, `cloudfront`, `elasticbeanstalk`) may currently be
specified per domain, however hosts may be specified multiple times over
different domains, to allow for configuration of a split system, including
both CloudFront and Elastic Load Balancer.

The `acme_account_key` can either be located on the local filesystem or in S3.
To specify a local file you provide `"file:///path/to/key.pem"`, for S3 provide
`"s3://bucket-nam/object-name"`. The key should be a PEM formatted RSA private
Expand All @@ -80,6 +97,10 @@ useful for production environments.
If your certificate is not expiring soon, but you need to issue a new one
anyways, the `--force-issue` flag can be provided.

If you need to issue certificates and upload to IAM, but your listeners are not
yet configured, or need manual intervention, the `--cert-only` flag should be
used.

If you're into [Docker](https://www.docker.com/), there is an automatically
built image of `letsencrypt-aws` available as
[`alexgaynor/letsencrypt-aws`](https://hub.docker.com/r/alexgaynor/letsencrypt-aws/).
Expand Down
Loading

0 comments on commit cdaf9f3

Please sign in to comment.