2

I've written a script that creates an AWS EC2 instance via API and I need to automate the install of the wildcard certificates to be used by this new instance for HTTPS via Apache.

Previously, I had this solved by running LetsEncrypt/CertBot on the user-data script being passed via API, but because of the TLS-SNI-01 vulnerability issues, I decided to get a proper wildcard certificate to my domain and I'm updating the script accordingly.

As such, I'm wondering which strategy would best fit my purpose. Ultimately, I would just need to copy the cert files to a certain folder on the newly created instance, but I'm afraid I might be just reinventing the wheel - does Amazon have any tool to facilitate this?

On the other hand, should I have to resort to simply copying files, what would be a good place to store them so that they could be obtained via the user-data script? AWS S3?

I'm fairly new to server deployment/configuration, especially on AWS, so any help would be very welcome.

Joum
  • 151
  • 1
  • 8
  • 3
    Put a load balancer or CloudFront in front of it, and let AWS manage the cert with the ACM offering. – ceejayoz Jan 22 '18 at 15:39
  • Plus one to ceejayoz's option, the certs from amazon are free too, although they can only be used with loadbalancers, cloudfront and the like rather than directly on servers. Have their loadbals terminate the ssl and forward on to port 80 on your server. – Alex Berry Jan 22 '18 at 16:37
  • I have Acme run Lets's Encrypt on startup. Since you have the certificate you could just store it on S3 and download it when the server starts. This is assuming you can't do the standard things as recommended above like using an ELB. – Tim Jan 22 '18 at 18:37

1 Answers1

1

While I agree with ceejayoz that the best option is to use an ALB or ELB for SSL offloading, if you must terminate at the EC2 level, you can do a one time import of the certificate via the cli command 'aws acm import-certificate' documented at https://docs.aws.amazon.com/cli/latest/reference/acm/import-certificate.html then during the startup of EC2 instances download the cert via 'aws acm get-certificate' documented at https://docs.aws.amazon.com/cli/latest/reference/acm/get-certificate.html

David Filiatrault
  • 543
  • 3
  • 9