Andrew Moore

Solutions Architect @ _nventive; Desktop, mobile and web developer; Tech enthusiast.

"RT @firefox: We strive to make Firefox a great experience. Last weekend we failed, and we’re sorry. More here, but one call out: if you en…"

Share


Archives


Categories


SSL Setup with Let’s Encrypt on an Origin-Pull AWS CloudFront Distribution

Getting Let's Encrypt working with auto-validation/renewal on an Origin-Pull CloudFront distribution.

Andrew MooreAndrew Moore

CloudFront is fantastic at serving assets quickly and efficiently around the globe. However, those something.cloudfront.net hostnames can be an eye-sore. If you are serving your website via HTTPS and want to use a CNAME instead to serve your static assets, you usually then need to pay for a separate HTTPS certificate for that new domain. Not anymore.

Let’s Encrypt entered public beta early last month and provides valid SSL certificates at no cost. They provide an API and an official client (some third-party clients are available) that you can use to request and renew SSL certificates. Their root certificate is recognized by all major browsers, so you do not have to worry about your users seeing an SSL certificate validation error.

The process of using the letsencrypt client on a traditional web server is relatively simple. Facilities are even in place in the official client to aid you in the installation and renewal of your certificates. Unfortunately, using it with CloudFront requires a bit more work.

Requirements

In order to use Let’s Encrypt with Amazon CloudFront, you must install the client and the S3/CloudFront CLI plugin on your origin server.

pip install letsencrypt && pip install letsencrypt-s3front

You must also have your Amazon CloudFront distribution configured with the appropriate Alternate Domain Names entries (corresponding CNAME entires configured at the DNS level) and an AWS key/secret with rights to upload a server certificate and to modify the CloudFront distribution. The latter can be done using the IAM Management Console web interface.

Requesting a Certificate

In order to properly authorize your domain for Let’s Encrypt, we must mix and match plugins for the CLI client. Authorization will be done via the webroot plugin and the installation will be done using the letsencrypt-s3front plugin installed earlier.

The webroot authorization plugin allows Let’s Encrypt to write a file containing a secret value at the root of your website. This allows Let’s Encrypt to verify that you own the domain by then requesting this file thru CloudFront and verifying its content. You specify the DocumentRoot of your site via the --webroot-path command line switch.

The letsencrypt-s3front installation plugin, on the other hand, uploads the generated certificate to your AWS console and modifies your CloudFront Distribution so that the new certificate is used. lestencrypt-s3front also comes with an authorization plugin. However we are not using it in an origin-pull scenario.

Requesting a certificate can be done using the following shell script (replace the <parameters> with the proper values):

#!/bin/bash

AWS_ACCESS_KEY_ID="<AWS_Access_Key>"
AWS_SECRET_ACCESS_KEY="<AWS_Access_Key_Secret>"

letsencrypt run \
    --authenticator webroot \
    --webroot-path "<Path_To_Document_Root>" \
    --domain "<Domain_Name>" \
    --installer letsencrypt-s3front:installer \
    --letsencrypt-s3front:installer-cf-distribution-id "<CF_Distribution_Id>"

If successful, it will automatically install the new certificate to your CloudFront distribution.

Keeping the certificate updated

Let’s Encrypt certificates have a lifetime of 90 days. You must therefore keep your certificate up to date. You can do so using a slightly modified version of the above script:

#!/bin/bash

AWS_ACCESS_KEY_ID="<AWS_Access_Key>"
AWS_SECRET_ACCESS_KEY="<AWS_Access_Key_Secret>"

letsencrypt run \
    --agree-tos --renew-by-default --text \
    --authenticator webroot \
    --webroot-path "<Path_To_Document_Root>" \
    --domain "<Domain_Name>" \
    --installer letsencrypt-s3front:installer \
    --letsencrypt-s3front:installer-cf-distribution-id "<CF_Distribution_Id>"

Finally, invoke the above script via cron and run it @monthly in order to keep your certificate up to date automatically!

Solutions Architect @ _nventive; Desktop, mobile and web developer; Tech enthusiast.